0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
Size

96KB
MD5

5de97419047b86f979a8631920883008
SHA1

dc8e6be5a3d03792700035f8b32a1a898d3eadd0
SHA256

0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5
SHA512

02d17255dc5c423b658fad527bd4b276784db239146aaf4058b9321eaec23d8ff1a6a9169b5b168dd49da7333dcd3e61cd6f50e200b1a339683569a9216e926e
SSDEEP

1536:WuoKuse4mZRR8/WHZs1rHid42Lk1CPXuhiTMuZXGTIVefVDkryyAyqX:jise42R8eH21rHidJaCPXuhuXGQmVDe0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfpcoefj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcnfohmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ondljl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lggejg32.exe

Executes dropped EXE 46 IoCs

pid	Process
4984	Kflide32.exe
5096	Kfpcoefj.exe
3960	Lgpoihnl.exe
3328	Lfeljd32.exe
4056	Ljceqb32.exe
4696	Lggejg32.exe
2424	Lcnfohmi.exe
3320	Lncjlq32.exe
2216	Mjjkaabc.exe
2660	Mmkdcm32.exe
2824	Mfchlbfd.exe
1572	Mcgiefen.exe
2692	Mcifkf32.exe
4224	Nclbpf32.exe
2804	Ncnofeof.exe
536	Nnfpinmi.exe
1548	Njmqnobn.exe
4532	Onkidm32.exe
2696	Oplfkeob.exe
1504	Ocjoadei.exe
5116	Opqofe32.exe
1260	Ocohmc32.exe
452	Ondljl32.exe
4484	Ohlqcagj.exe
3672	Pfandnla.exe
2484	Pjpfjl32.exe
2588	Pdhkcb32.exe
3808	Phfcipoo.exe
1956	Ppahmb32.exe
912	Qobhkjdi.exe
1368	Qodeajbg.exe
1020	Aaenbd32.exe
2800	Adfgdpmi.exe
4496	Adhdjpjf.exe
3528	Aaldccip.exe
1148	Aopemh32.exe
3836	Bmeandma.exe
3612	Bgnffj32.exe
5100	Bahdob32.exe
2092	Bajqda32.exe
1644	Conanfli.exe
4036	Coqncejg.exe
3984	Cdpcal32.exe
392	Cdbpgl32.exe
4640	Dhphmj32.exe
2620	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Pdhkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Kfpcoefj.exe
File opened for modification	C:\Windows\SysWOW64\Nclbpf32.exe	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Kflide32.exe	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
File created	C:\Windows\SysWOW64\Bjdbkbbn.dll	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Lfeljd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Aopemh32.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Ondljl32.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Adhdjpjf.exe	Adfgdpmi.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Lcnfohmi.exe
File opened for modification	C:\Windows\SysWOW64\Mmkdcm32.exe	Mjjkaabc.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Bmeandma.exe	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Kflide32.exe	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	Kfpcoefj.exe
File opened for modification	C:\Windows\SysWOW64\Lfeljd32.exe	Lgpoihnl.exe
File opened for modification	C:\Windows\SysWOW64\Njmqnobn.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Blqhpg32.dll	Onkidm32.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Lbmolo32.dll	Lggejg32.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Jhafck32.dll	Kflide32.exe
File created	C:\Windows\SysWOW64\Bkncfepb.dll	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Coqncejg.exe
File opened for modification	C:\Windows\SysWOW64\Lcnfohmi.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Bcjfln32.dll	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Lgpoihnl.exe	Kfpcoefj.exe
File created	C:\Windows\SysWOW64\Mjjkaabc.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Conanfli.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Mpolbbim.dll	Nclbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjpfjl32.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Mfchlbfd.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Ldpnmg32.dll	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Cdbpgl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
216	2620	WerFault.exe	137

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfeljd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ondljl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll"	Lfeljd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll"	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qobhkjdi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4984	2320	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe	92
PID 2320 wrote to memory of 4984	2320	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe	92
PID 2320 wrote to memory of 4984	2320	0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe	92
PID 4984 wrote to memory of 5096	4984	Kflide32.exe	93
PID 4984 wrote to memory of 5096	4984	Kflide32.exe	93
PID 4984 wrote to memory of 5096	4984	Kflide32.exe	93
PID 5096 wrote to memory of 3960	5096	Kfpcoefj.exe	94
PID 5096 wrote to memory of 3960	5096	Kfpcoefj.exe	94
PID 5096 wrote to memory of 3960	5096	Kfpcoefj.exe	94
PID 3960 wrote to memory of 3328	3960	Lgpoihnl.exe	95
PID 3960 wrote to memory of 3328	3960	Lgpoihnl.exe	95
PID 3960 wrote to memory of 3328	3960	Lgpoihnl.exe	95
PID 3328 wrote to memory of 4056	3328	Lfeljd32.exe	96
PID 3328 wrote to memory of 4056	3328	Lfeljd32.exe	96
PID 3328 wrote to memory of 4056	3328	Lfeljd32.exe	96
PID 4056 wrote to memory of 4696	4056	Ljceqb32.exe	97
PID 4056 wrote to memory of 4696	4056	Ljceqb32.exe	97
PID 4056 wrote to memory of 4696	4056	Ljceqb32.exe	97
PID 4696 wrote to memory of 2424	4696	Lggejg32.exe	98
PID 4696 wrote to memory of 2424	4696	Lggejg32.exe	98
PID 4696 wrote to memory of 2424	4696	Lggejg32.exe	98
PID 2424 wrote to memory of 3320	2424	Lcnfohmi.exe	99
PID 2424 wrote to memory of 3320	2424	Lcnfohmi.exe	99
PID 2424 wrote to memory of 3320	2424	Lcnfohmi.exe	99
PID 3320 wrote to memory of 2216	3320	Lncjlq32.exe	100
PID 3320 wrote to memory of 2216	3320	Lncjlq32.exe	100
PID 3320 wrote to memory of 2216	3320	Lncjlq32.exe	100
PID 2216 wrote to memory of 2660	2216	Mjjkaabc.exe	101
PID 2216 wrote to memory of 2660	2216	Mjjkaabc.exe	101
PID 2216 wrote to memory of 2660	2216	Mjjkaabc.exe	101
PID 2660 wrote to memory of 2824	2660	Mmkdcm32.exe	102
PID 2660 wrote to memory of 2824	2660	Mmkdcm32.exe	102
PID 2660 wrote to memory of 2824	2660	Mmkdcm32.exe	102
PID 2824 wrote to memory of 1572	2824	Mfchlbfd.exe	103
PID 2824 wrote to memory of 1572	2824	Mfchlbfd.exe	103
PID 2824 wrote to memory of 1572	2824	Mfchlbfd.exe	103
PID 1572 wrote to memory of 2692	1572	Mcgiefen.exe	104
PID 1572 wrote to memory of 2692	1572	Mcgiefen.exe	104
PID 1572 wrote to memory of 2692	1572	Mcgiefen.exe	104
PID 2692 wrote to memory of 4224	2692	Mcifkf32.exe	105
PID 2692 wrote to memory of 4224	2692	Mcifkf32.exe	105
PID 2692 wrote to memory of 4224	2692	Mcifkf32.exe	105
PID 4224 wrote to memory of 2804	4224	Nclbpf32.exe	106
PID 4224 wrote to memory of 2804	4224	Nclbpf32.exe	106
PID 4224 wrote to memory of 2804	4224	Nclbpf32.exe	106
PID 2804 wrote to memory of 536	2804	Ncnofeof.exe	107
PID 2804 wrote to memory of 536	2804	Ncnofeof.exe	107
PID 2804 wrote to memory of 536	2804	Ncnofeof.exe	107
PID 536 wrote to memory of 1548	536	Nnfpinmi.exe	108
PID 536 wrote to memory of 1548	536	Nnfpinmi.exe	108
PID 536 wrote to memory of 1548	536	Nnfpinmi.exe	108
PID 1548 wrote to memory of 4532	1548	Njmqnobn.exe	109
PID 1548 wrote to memory of 4532	1548	Njmqnobn.exe	109
PID 1548 wrote to memory of 4532	1548	Njmqnobn.exe	109
PID 4532 wrote to memory of 2696	4532	Onkidm32.exe	110
PID 4532 wrote to memory of 2696	4532	Onkidm32.exe	110
PID 4532 wrote to memory of 2696	4532	Onkidm32.exe	110
PID 2696 wrote to memory of 1504	2696	Oplfkeob.exe	111
PID 2696 wrote to memory of 1504	2696	Oplfkeob.exe	111
PID 2696 wrote to memory of 1504	2696	Oplfkeob.exe	111
PID 1504 wrote to memory of 5116	1504	Ocjoadei.exe	112
PID 1504 wrote to memory of 5116	1504	Ocjoadei.exe	112
PID 1504 wrote to memory of 5116	1504	Ocjoadei.exe	112
PID 5116 wrote to memory of 1260	5116	Opqofe32.exe	113

C:\Users\Admin\AppData\Local\Temp\0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe
"C:\Users\Admin\AppData\Local\Temp\0cec747b9f2b5dad2d0ee6b68851fc931dbb816c3519d103d9f64dfe0581b7d5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\Kflide32.exe
  C:\Windows\system32\Kflide32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\Kfpcoefj.exe
    C:\Windows\system32\Kfpcoefj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\Lgpoihnl.exe
      C:\Windows\system32\Lgpoihnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
      - C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        47⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 400
        48⤵
        Program crash
        
        PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2620 -ip 2620
1⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3496 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
96KB

MD5
3007d1d80bf32f5d8e01e18ae3d03fe7

SHA1
68554b1ceb871832a24f6601a7fea8fadefe522e

SHA256
7a1a911280217b55eaa55948ec4df7c8f3a7313e79d71f555074cc015c756820

SHA512
264ffb43ea7c2627ede892a9c2e618e80d6df4b5627999061b52ba9994246875c1bc0a51c4cf59148b9b7d13b25dea0afb4e5ca8d82afc1e3da6001ede13d6f6

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
96KB

MD5
8651e74f5226d1af08ab97b157de3673

SHA1
6f02ecbb15caac46f44b5da252e56ccd90f940de

SHA256
60bbd769019636367bcf9cead7a88fe331b8fb256cc08d48827d64637dd2ade5

SHA512
98024457e2c0571892a7a426b37039635467e12a8c86d2244f85bda2206c21eabb09527accc904772a33261f6418d68a359e08a0913763e109abebf6b003dd30

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
96KB

MD5
1f9c602f63f42034ed4012ef2e7573d4

SHA1
774457e6984e0e2476b5cf52ee220c727c572af1

SHA256
a9ea89e9cedd80577aa1d099297bc145d5d40845ec4be105b581fdcb90d69d3f

SHA512
f6749594bb5070a1efb12494097100e261d6f9027f4b729e7390f3fe141dffed7a0d7abeb59dcbeda9fc8451dfda8a843a56ebc58b4896ad53ce31fa44ba89c5

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
96KB

MD5
293ca917379f1135a92213cf3a3c05ee

SHA1
2e9d9f0ae0ddaf7cac554ad78266d0a3421146dc

SHA256
643f5993d10ca206c2481d23b2540d1bfeb6c129a9c56c1ff2d406983832a534

SHA512
0532afeba6b1f0e98331f9d9eb8dd58fdc9cc66ad7eb020b0768c6040b69785913bda62399720733fe61e7a0c818e84e963262deaa32e04498e97abb4c98db69

Download Submit
C:\Windows\SysWOW64\Kfpcoefj.exe

Filesize
96KB

MD5
680cdec1a7d60bc2bc3662930f539486

SHA1
f929b0bd82178d9ab47fca897d379867cd865ff5

SHA256
2223b4007d0d93c445f7020d7942f6120a61c1aaf2ca4456700d8377be7be297

SHA512
59eaa99beedcb4dde2eafe385fda300b1f31b14305c0c09bbbe9e52a2120cc5c3d6e27e6bb28ce57c1d5d18882f4554d5a5c282dba9e029e8975fe6573406a31

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
96KB

MD5
3ab459f1d55316f05a00386f7ab2d799

SHA1
1b7ef6e88693a6ae55c00d7267df2b51f4c1c346

SHA256
6c1fb57d843c9cee8eb53ffad65f6f06408bb8e97f1c7d275261c5a6d1315b6e

SHA512
2d3fadc527a6988837b947c7429852965a966d6fd37e143c4e4a0df3d778d1d083251e788a6337896495f4ebe116367d6e5cffd9072a9470553572b8eb195794

Download Submit
C:\Windows\SysWOW64\Lfeljd32.exe

Filesize
96KB

MD5
7fd405cb67b9ec42b588c2139297e88f

SHA1
fd1514eef6a6d6d45693a16846743b64cd49f795

SHA256
1e2f86d5c6d0203e31f3aa12a8c8ee987e895edda79ddbac50ab9db7f4c7a2bc

SHA512
c1bb8455476d8d1b6d40f5b202cee3d43e5945ca39c9b8c9498218a82d2ceb4b30a4bb43aa1e7ad176f08045f0f4fc58d480a530112a7ec483228376e1825c62

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
96KB

MD5
14895f544af1eb2d82c633d905edfc04

SHA1
6fb287b914295e1ffa6c1c5241d941e17094eb31

SHA256
eb6e5e480a93d662b6c52458f01631aa668cab1e56a2a7f87e3dbb060fa650a5

SHA512
069346b06ee0963905482d15e3fd8f44977cf9487750e014e3129ba8135616d9e0b382037bfaac9dba8042dae6fc0866fe8bf026aeff6286f2ccd59e7c3625be

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
96KB

MD5
104f752708104d238af9810ab23e8185

SHA1
e0c607f4ba62bd62f1b89082af12ba0cb57aef53

SHA256
fbfe72025c04df373418beea62f6113c968788bbf445a0b5dda9e2972b861449

SHA512
9f9693a4b1432565c0e8ead5a0237d15ac614cee62177d6db97b4fd9cd39f42bfa9ea5f279e9a9664a6e7271c57e65a623f3c6dbc5e081e7c77692f8cd882ec0

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
96KB

MD5
08dcd5da04314fef496d54cc0f3f80e5

SHA1
79ce94fd8965668fdeb5b9731b47ea72db2b3d87

SHA256
f9718982a17c6d61f8fd9a21d8550cf600306d00fb3d55b7fb189d3240c00e87

SHA512
c06589f6d0b29e4f1e8d09482e72af62c52105c03a0c86e74486bc9ca973e4fb86f60f425a938d4b83d4ca759072da4c0723ffe21b60924b8b00e730a62eaae1

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
96KB

MD5
09f6f378bdfdd9e8c6e8334d3eff4f5d

SHA1
6ea1ad6aaa55698fdc5820f5724262c1589b0f6e

SHA256
1c9af99d1a90fd3dd0c362a10cf05892cbdd582cd853133cc80e91db9e966db0

SHA512
b8a6b0e565757142e32e4b600620461daf0a689ee0bf561e77efb4cbc52ead9a40ebaa071f34e752d864f0b755022303bfbd40335362f365fe34ecd3566f0bdd

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
96KB

MD5
a7647721a0173a7ac2c151e6aa641caa

SHA1
6125fb3360c893f8b02fc658c64f59748f5bc6ce

SHA256
ba1efe5905b3ae8c556aac7671dbe97dcc1d2f4c54d9987fda97295ada0229a2

SHA512
cde5012c377b194919d2ef4961952c6f4d7109ee9ff1a34205d7501e4d1b0284a3701859717d0c94802a2e4c92867c021f7ae972137d64ef5658d72d22f90faf

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
96KB

MD5
2e01508cb3c141a6728524e1fce209c5

SHA1
a7c63d357981952da732a031fe65979cac6771e2

SHA256
ba37ca4e6c2f5f1b5948fadfe20230f70d6b797d769d8d37a4a575cb3d94901d

SHA512
bb628f9e42a8880303c8eb8ccc229a3998fb0113a56cbc9571a94a782dd120b1108e3e106abefbca03fdca381a45d2d12bff0c3cee70c1643552f9961de1ad0a

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
96KB

MD5
d4f6265a061028eefa00fdd234341990

SHA1
1b968e0223b39d1db71239a20f2c8c19c07feb9d

SHA256
261cce3396b12f0bc08f522353646c7ccea01a35693f3366d7d2e4f2442c30b2

SHA512
9cf61c60d4b21e12991ac56a9fb0e8eb78914cbd9131d08477d656d1819fabb6b625c4fa0eac79521565ddf81d411a1e392b19f8a67b106441cb152f2a0df490

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
96KB

MD5
208cde47248180fd82c75f426b366bf2

SHA1
cd9ee88c1b3a49ffbaa482fbfe2045e980fd60c5

SHA256
848e061698f9be9c99db888ba10b14fae2f9ec60ce500e6101df6140270a2c0f

SHA512
7679360a5aa63c83645a577e96eb6f444566339723bb6781b1eb17e2c98d27d60cd76be9d5a2e3b2f6b5100c3762e8a8093982534bd582d4350641494dba8f25

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
96KB

MD5
ff73ad236dca4301b7555f93ff0690d9

SHA1
b773df7b128eb007c26af60830e48fa508244714

SHA256
660c5cef4552b9fcb1fb44b94bdc74ba3dfd1428a689f33aca908fe68212004e

SHA512
826259772efc1c363d0515864769d2865b7eb08707918b1859d3cc4d906ce62bec109d608de04557114583de2ec6b9fe0f4fc4dd8a0dcf8e8cd32f0cc58bf667

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
96KB

MD5
09f7352c257a59b3823b2340e43e1d7a

SHA1
f9eb33ef8b96c7514c2b075ab1e1e1aa1aaa6198

SHA256
94d2840d50e0af20555612f49c9945ff433886cf14b207a5632052bcbdbde812

SHA512
ed94dd9323bdf86ec474071875f74913f6098d3310b313109b28fe66a048c5e588e53784bcdcfffcab2d73d19d51e568decda7afed2b137d047b84686e7f4bfc

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
96KB

MD5
1d9ec6aca9562e036945560347e09ab9

SHA1
e4553a82e7edb214ce79fc2823d7db369da3fda8

SHA256
d76aade49cd7991a24687749951f0a05fd3b1d2f1e67bfc50b043f92b09039b6

SHA512
64d32159fa736a1425057edfba42437dd61774352dae8b09d770ec4f348099a55bd3647683f81700cb8a5930011a1ee5ed8f541a122383e00cf2f96fa1a68885

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
96KB

MD5
16c8db42dad672d83422efb68b59a006

SHA1
ef0d64f29759e19bd4ed831dd1d60c59d062c99d

SHA256
058177465995d270bec38afb4830fa65b2deba7831eafe709be217e0e736e908

SHA512
3499dfa20acd977a8e2c9d2698cbc098f8f58510d0e0fd0f28c0f605d396af5dfeabd206373a1d9f56430b77131144e6840dba8a231808b9c900740914ccd8d9

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
96KB

MD5
5c5d1f607b5ecdd04fff4f98badd580c

SHA1
75a193c3ec02466c34bd146b83160999608dce2a

SHA256
acf0ffe3b30daa99850423f670d16d5369fe773e2b610215f8ce8be0e978a5ee

SHA512
8ceec95dc499c0ea764579b904cec8e1d885c40139bd1ca1dd6204f650370392ff2da55408c7343f6a4f3c6028819740b30a9f41f4ee7f8b15d258fa507ef166

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
96KB

MD5
cddbb4cbd681fa9094cc66fe346646e6

SHA1
94c35930999b3f0e8ac4669dbb259dcc29d2e594

SHA256
31af355e18635c3e8ecf13136f4ca1addc318aea10f3bb203cd9a9ecf62a9cde

SHA512
d27b576a6fefb8e615a36aef2f670e53057fd100f015ddb72cab81b5cb128aaa3c2a30f0590de0a4acceb3e13d9b2d8ab802e96147e8447618d219c5215edebe

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
96KB

MD5
8a4ae8f97c510f279042eedef0a53cb6

SHA1
8d4f66852c418f8a1ff9889351954351c58a7d50

SHA256
1d1e6465f5b2a59dc3b75a5c847345d3bbf26d060cecc62950add5485d6d839c

SHA512
41da4ee19f0f67e7a2d93b1cb65cec3ccc6b1b3a2cbf0dc16e84c355b171b497ea6b4d84ca9269a13bbd22d68f018303e8d665c47840b1f47ca41fdb342ae14f

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
96KB

MD5
64c73f3c9b0fdd9a68cb67cd2ed46095

SHA1
1af9b9f743d434ba289795da282fb94ec132d491

SHA256
d37ba7e76d8c39ce9cf897494318484290177a64d353c2a0465f3e80f919697e

SHA512
33165c27ec983c75811b3d2682d4e7004150dda60e3f4fd0ba44be8d191310162fccd3dfe24ac70135aff5214b4464d163da6e938e1606fa883d5d5deac0e70b

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
96KB

MD5
02813456259ba8be7d540ece8bed53e1

SHA1
95fbf8f7f039dc71f65e2109e98c204e5ccfd13a

SHA256
74fe00ed963e9ea9d89f18c78f3275194a14f8ea6e0b256b80c2928f21d2ff5f

SHA512
c88362ab436173e5a5859518c72cc8b9b7a5d206e05dfa2bc0fb0c77428fb5d0b708c990551292a9593915c2ed5b0ec6d61f37cb0ed2b85c92e9c77df39145af

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
96KB

MD5
7863d3d75bdace321bf00bd29d5e4ba0

SHA1
78656777f1fa6f5f52efc812e12a89bbf81c10ef

SHA256
60367d755dfba5c46506e8c8138a57fd8cfb8f960e8be1e41e821a937e827084

SHA512
cd105edff7eb28c1cfb0dd762970bb6b5c9976dede97c2e26e8430b40f673fadffab698389b62989d0401dda05f389010691cc0382a22fdcd9a5299251debb82

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
96KB

MD5
1acea82b446879b48e5a4de2ff64552b

SHA1
897e39df33d4616bf742e731b3346dce9613d739

SHA256
9269056afdc69e08462a2bb085fbc2f974c24f5a85754ce2cf55acda5240a7d6

SHA512
0452e08753a7b673a3e3c30c70e34bc56fefea56a32427d77d2bc941d3bac7ee49b1fbd14ee309175f8e070c1c458a161028f790d244745d1ee624a290713071

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
96KB

MD5
d57847af73a1cd6c84f3c44bec93cd78

SHA1
e5f0c1817fc6c2f39ca51369efc9d7c8104d9cef

SHA256
2f5ba3e12e64badd150bc19c17e04578ebe4279d28ece93847a7e53f622c58e1

SHA512
eef1f081dc9b9e0406623944ce795e9297b7cb2ac940b000da31d5dc4115f0c63a8f463342e23386fe16c16584514a381f16e6205dad7f452c43d65d1a0c16ce

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
96KB

MD5
7e5a2d3c0c2c4a5a5386148049fa1cb4

SHA1
010e23fa1d24d5f5e6f7a76c6f2e462deebac244

SHA256
0a9f02e0fb066ddb3841ea4016407c094e05ab85e83265b7d12c6dbdc1cf15a9

SHA512
38ec47af59b09b6a76579ca789d28a4234f8675703d50e0cde0bd218885422e0a6320422fdb21fdde2412ec423abcbfe08a09d9e15856123091eb08e74a8849e

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
96KB

MD5
afcb1343a31cd073571839399780d644

SHA1
9fe1dec80bc7aa94cccd67b38b65eb755543955c

SHA256
88b5993b8c6c7f6555d61b3b44a5a17569495bd1a8b249bda4f0e8c5a8618b31

SHA512
02b7b9f3073094aa991a381b6a8f4d53c9b72e1447ff333672530cf0c811747fd23297bc99cf089ced367959c3985ab3497219f836560cb1d22fdf87f6fc2eeb

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
96KB

MD5
40bd18bac41ec2723105d61228b689a7

SHA1
e3b32ff14fe6842d86142fa0bccd8310e23c2773

SHA256
337df2bb975e0cecc5b950f62883d58221bdf2f73f5ac02947e8bb7f246f8227

SHA512
b197da81768358a682d2c1745af3ec84d70bb44ce5ee0a7a1289cc6b593c08be04de824417f1708649c262836faf41738b2be9c924e355bd8e1ab17c111e876f

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
96KB

MD5
7e5fa7b18e4b79f58f322d5cb5699fc6

SHA1
bb962a960f517d5b14872d40003e50e60f7d2780

SHA256
16cec9d4d6ce9a4fd03388360471eeb20abff86994c3b4767f374f5096a1d3e5

SHA512
30c76cbbe59c34e8398da542abf34abbe09d41fc73a4591db844023629fd47dfe31278e265c6e24f1c5a4e30da92fcef11aecccd7031bb027fd26ff8a16b7931

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
96KB

MD5
f386d4dee44483e4d0be572012c9ec32

SHA1
cb04488fcf547a6d0566c32270b1648db470bc96

SHA256
48f7b61ec6704d692326cb54b7a26c714ff124b460e3ec25a725fbc98e374909

SHA512
973ed958196b7eb8f0dc461b9bfdf89aaca7e8cf50e2436b4a5600e52df85c46184b0e0149bcd3e1fed1eae86238605ba33967ad9171dfe224aa9fa351e42738

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
96KB

MD5
f3009d4970f2aa912b8fb17400572f61

SHA1
91fb8af663a16f813ad62d518a97a91aa9b5963a

SHA256
31eba7c03e4e5763c428b7fa84443d41b7819c96503d5e9513ae2ff34c986c5c

SHA512
5043047bb1e52ea442fa4a9399cd4cbdb9ce3f674a58e2e259e7a9840011768df98df244507efae0acc0629b4e3ccb3411622509a95d9622525cd9e242a09b3c

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
96KB

MD5
5a6184ab885100ecc66acb321dc7d84c

SHA1
c4ad92a95db74f732c34f8e3381bd4d06427e8ae

SHA256
a546d87413a436fb1fac48a35d1c608535a7b6d19f716668dfadf9b275ce2d69

SHA512
7e80cfcc009a086a1781539c51ea55a135878dc78e5b37564a3f9ccddf4d9d7d5ac8ac9fd648b2991b901635ad8e558c93e7d216f85affe55d78b2de4fbefba3

Download Submit
memory/392-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2320-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads