0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6

Analysis

max time kernel
51s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6.exe
Size

305KB
MD5

fb6bc0edb74233f2eee160b861e92bec
SHA1

663c12cf04add8a8b5b36acb6227cdc4179d2337
SHA256

0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6
SHA512

c8a5c6e2db434ebf1fbd2f1482b30f6a2650389aa45ad420a685c2042f69b0e392039da11d9fd7d4ed160c98fec0411d5edad5474b4a647aeb8a56af135547f2
SSDEEP

6144:r7KSSS5pMNxunXe8yhrtMsQBvli+RQFdq:vKSSzvAO8qRMsrOQF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2072	Nckndeni.exe
3176	Nfjjppmm.exe
5084	Nnqbanmo.exe
2484	Oponmilc.exe
1372	Ocnjidkf.exe
992	Oncofm32.exe
1000	Odmgcgbi.exe
2652	Ogkcpbam.exe
828	Ojjolnaq.exe
2216	Odocigqg.exe
2632	Ognpebpj.exe
3868	Olkhmi32.exe
4432	Odapnf32.exe
3080	Ogpmjb32.exe
2580	Ojoign32.exe
3764	Olmeci32.exe
364	Oddmdf32.exe
5048	Ofeilobp.exe
1688	Pnlaml32.exe
384	Pdfjifjo.exe
3448	Pfhfan32.exe
4580	Pdifoehl.exe
2960	Pclgkb32.exe
436	Pfjcgn32.exe
872	Pjhlml32.exe
2980	Pqbdjfln.exe
2108	Pgllfp32.exe
3104	Pmidog32.exe
4664	Pqdqof32.exe
4116	Pgnilpah.exe
4364	Pjmehkqk.exe
3652	Qqfmde32.exe
2184	Qfcfml32.exe
2288	Qnjnnj32.exe
4584	Qddfkd32.exe
1168	Qgcbgo32.exe
2392	Qffbbldm.exe
4480	Anmjcieo.exe
1164	Adgbpc32.exe
2660	Acjclpcf.exe
768	Ajckij32.exe
1816	Ambgef32.exe
2128	Aeiofcji.exe
1152	Aeniabfd.exe
2212	Acqimo32.exe
3344	Ajkaii32.exe
3172	Anfmjhmd.exe
4676	Aminee32.exe
1136	Aepefb32.exe
1644	Bfabnjjp.exe
432	Bnhjohkb.exe
1740	Bagflcje.exe
2416	Bebblb32.exe
3108	Bganhm32.exe
3120	Bjokdipf.exe
2028	Bmngqdpj.exe
416	Beeoaapl.exe
2528	Bchomn32.exe
2984	Bjagjhnc.exe
1944	Balpgb32.exe
4036	Beglgani.exe
2588	Bgehcmmm.exe
2516	Bjddphlq.exe
2384	Bmbplc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5276	5184	WerFault.exe	193

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2072	2492	0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6.exe	81
PID 2492 wrote to memory of 2072	2492	0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6.exe	81
PID 2492 wrote to memory of 2072	2492	0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6.exe	81
PID 2072 wrote to memory of 3176	2072	Nckndeni.exe	82
PID 2072 wrote to memory of 3176	2072	Nckndeni.exe	82
PID 2072 wrote to memory of 3176	2072	Nckndeni.exe	82
PID 3176 wrote to memory of 5084	3176	Nfjjppmm.exe	83
PID 3176 wrote to memory of 5084	3176	Nfjjppmm.exe	83
PID 3176 wrote to memory of 5084	3176	Nfjjppmm.exe	83
PID 5084 wrote to memory of 2484	5084	Nnqbanmo.exe	84
PID 5084 wrote to memory of 2484	5084	Nnqbanmo.exe	84
PID 5084 wrote to memory of 2484	5084	Nnqbanmo.exe	84
PID 2484 wrote to memory of 1372	2484	Oponmilc.exe	85
PID 2484 wrote to memory of 1372	2484	Oponmilc.exe	85
PID 2484 wrote to memory of 1372	2484	Oponmilc.exe	85
PID 1372 wrote to memory of 992	1372	Ocnjidkf.exe	86
PID 1372 wrote to memory of 992	1372	Ocnjidkf.exe	86
PID 1372 wrote to memory of 992	1372	Ocnjidkf.exe	86
PID 992 wrote to memory of 1000	992	Oncofm32.exe	87
PID 992 wrote to memory of 1000	992	Oncofm32.exe	87
PID 992 wrote to memory of 1000	992	Oncofm32.exe	87
PID 1000 wrote to memory of 2652	1000	Odmgcgbi.exe	88
PID 1000 wrote to memory of 2652	1000	Odmgcgbi.exe	88
PID 1000 wrote to memory of 2652	1000	Odmgcgbi.exe	88
PID 2652 wrote to memory of 828	2652	Ogkcpbam.exe	89
PID 2652 wrote to memory of 828	2652	Ogkcpbam.exe	89
PID 2652 wrote to memory of 828	2652	Ogkcpbam.exe	89
PID 828 wrote to memory of 2216	828	Ojjolnaq.exe	90
PID 828 wrote to memory of 2216	828	Ojjolnaq.exe	90
PID 828 wrote to memory of 2216	828	Ojjolnaq.exe	90
PID 2216 wrote to memory of 2632	2216	Odocigqg.exe	91
PID 2216 wrote to memory of 2632	2216	Odocigqg.exe	91
PID 2216 wrote to memory of 2632	2216	Odocigqg.exe	91
PID 2632 wrote to memory of 3868	2632	Ognpebpj.exe	92
PID 2632 wrote to memory of 3868	2632	Ognpebpj.exe	92
PID 2632 wrote to memory of 3868	2632	Ognpebpj.exe	92
PID 3868 wrote to memory of 4432	3868	Olkhmi32.exe	93
PID 3868 wrote to memory of 4432	3868	Olkhmi32.exe	93
PID 3868 wrote to memory of 4432	3868	Olkhmi32.exe	93
PID 4432 wrote to memory of 3080	4432	Odapnf32.exe	94
PID 4432 wrote to memory of 3080	4432	Odapnf32.exe	94
PID 4432 wrote to memory of 3080	4432	Odapnf32.exe	94
PID 3080 wrote to memory of 2580	3080	Ogpmjb32.exe	95
PID 3080 wrote to memory of 2580	3080	Ogpmjb32.exe	95
PID 3080 wrote to memory of 2580	3080	Ogpmjb32.exe	95
PID 2580 wrote to memory of 3764	2580	Ojoign32.exe	96
PID 2580 wrote to memory of 3764	2580	Ojoign32.exe	96
PID 2580 wrote to memory of 3764	2580	Ojoign32.exe	96
PID 3764 wrote to memory of 364	3764	Olmeci32.exe	97
PID 3764 wrote to memory of 364	3764	Olmeci32.exe	97
PID 3764 wrote to memory of 364	3764	Olmeci32.exe	97
PID 364 wrote to memory of 5048	364	Oddmdf32.exe	98
PID 364 wrote to memory of 5048	364	Oddmdf32.exe	98
PID 364 wrote to memory of 5048	364	Oddmdf32.exe	98
PID 5048 wrote to memory of 1688	5048	Ofeilobp.exe	99
PID 5048 wrote to memory of 1688	5048	Ofeilobp.exe	99
PID 5048 wrote to memory of 1688	5048	Ofeilobp.exe	99
PID 1688 wrote to memory of 384	1688	Pnlaml32.exe	100
PID 1688 wrote to memory of 384	1688	Pnlaml32.exe	100
PID 1688 wrote to memory of 384	1688	Pnlaml32.exe	100
PID 384 wrote to memory of 3448	384	Pdfjifjo.exe	101
PID 384 wrote to memory of 3448	384	Pdfjifjo.exe	101
PID 384 wrote to memory of 3448	384	Pdfjifjo.exe	101
PID 3448 wrote to memory of 4580	3448	Pfhfan32.exe	102

C:\Users\Admin\AppData\Local\Temp\3689110231\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\3689110231\zmstage.exe
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6.exe
"C:\Users\Admin\AppData\Local\Temp\0b44da73507161b5221df353e7bd9cdf5f540e48466bf207dcf7dbf5d300aec6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\Nckndeni.exe
  C:\Windows\system32\Nckndeni.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\Nnqbanmo.exe
      C:\Windows\system32\Nnqbanmo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        34⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        43⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        45⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        47⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        56⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        63⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        65⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        68⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        70⤵
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        72⤵
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2020
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        77⤵
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5108
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        79⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        80⤵
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        81⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        83⤵
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4944
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5052
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        88⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        89⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        92⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        93⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        95⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        98⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        101⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        104⤵
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        105⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        106⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        107⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        108⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        112⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        114⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 432
        115⤵
        Program crash
        
        PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5184 -ip 5184
1⤵
PID:5252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
305KB

MD5
bde1b16e350d06b3feeaf45a9dab028a

SHA1
659f387b465c21f1b6743b0339a95404ac81eb6c

SHA256
e50019b2a774c1784282f7a97ed123f4ded07dd90c43c0698734ad87be12e41c

SHA512
eaa914b0c8d33c5a6387aeb60e3ab10ecea0590e01607d41aed3fe745b3350dd322ad1d946f00f08cac8ec772480d39d1554ccc6a2e0d3f98c489111e212a83c

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
305KB

MD5
871168101e31fad3ea9ab03477b885f4

SHA1
0e9a7ee373aa5359f593d130174d7fce7aacc273

SHA256
616b666ac86b48476e9f6ed4a5a6b6954e1c0358ea2444ed21a0d12f79e57f8d

SHA512
1841accad191d250753a6dc5c4de9b1805c9e0e1788c42b5030700fe6a2eeae96cefa81f96be8b8ffffceb2f7f39cf46ba11779c8248ac30b588709439a5a516

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
305KB

MD5
e8ae7f00a1bb48be8a6568394b1621de

SHA1
b9572a0163bbd569e56811a5642dfa8d377060d8

SHA256
43fd0c69cab835fa56e7bab3673d2e0541efa2fb047d32d6efa26033a5418a67

SHA512
8956171ceb5f752eb0c349bab8142ac8e91d614083fe6986f0397b99dbbc6086cab254429dda573c0870d719f9f793193f9f6ea1ce7eb81ed8120ca8cb7b423c

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
305KB

MD5
26307840ecdb3f17ab5aa6bad85161dc

SHA1
7e40499fdc707c7b630eb722e675e6837fb3c384

SHA256
e4115ecfec1a7ef28de35fef4d8f872f7683f7eeff1e9f8e740d8012ced7c479

SHA512
e122dc068eea129d8033d31f9eae7d18279277e353ce89262317991c3585a314acd114acda7094acc848aca2c58101b09363ec45f4611a6247df7a5f05676ef3

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
305KB

MD5
44de380214327db4af32af574233f7fa

SHA1
a1f0f579c72f56574e28d3de64611b57140872ea

SHA256
d423baf49914127b548ab6694628305b678bdb945e78d9b48662641dd164447a

SHA512
76270af5c320d09e9a293638f78d25aef3c458d61f2e07791f8c3499fbc69e4629a9e5017e5fe73dd540faf223dff1c535fc7ddcd9870c3675d5980cc1967357

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
305KB

MD5
0077aa427579cb02ef82899729c295e1

SHA1
c2536d1cb279ba18fd62c2ae57965f9d57a97ead

SHA256
f8d1e0d2dd210b630fd036493e305cc058947609ba695275857a16549ce58f31

SHA512
0ad0f71cdba8296d3a0979b2fb90aaddcb89a88751b2338dd79966ad186f953c95e924488769f626bcf479bd7dd4ac0c6a3bd730921dfed1e83dfd381324d687

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
305KB

MD5
9b8a4e981b6a7d9136e8579ea222cacc

SHA1
62272c93525411eedae590bfc97cbb855669b6b5

SHA256
824fd32574a6b07a754764cd6b635715bac4d290a47b8f4002f8b7fcabb8e9cc

SHA512
fbae26876c2f3aded32eeaf214b7f3889a1d1e54ed9ea6132a9730d79ee6ce5cd2e48b14d8c1d8938fcd65c321fe001392d0e6f2622bdd386c04adbc1b7f7047

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
305KB

MD5
2034f63687c2540ef3f7785ab46edb65

SHA1
92cabb2cf0896c02b77925f1955244ad43aa8bc8

SHA256
57f42e365ae143103853827ce5651a84a382953dc747ea8ccc2fb04f11fe373e

SHA512
49e4cdc6d545fae7174cd13c199eff989523fc2740c1aaa96a16bea2160ff99e04c948c646137f71dbb2f4e16409a845efa9623bd595f5f7d2aa9bf96c288f8d

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
305KB

MD5
b58b49bc86d049fbe047675a68398a3a

SHA1
f42c7180da9b6e4d70ff3218f135ed3811a082f3

SHA256
e48e7d87056e4552e0d676c575cd7a9a2b4444f02b1c51bbcbc2d64ec437a293

SHA512
287b0b0d797037d03deec41921fdcf9a404f8faadb557de2f72d64f4c638b6f221ea0883720139c0c29b31d61f156f041aa0e0e1de1930c404a459e729ed65bb

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
305KB

MD5
2a1f97bc3a1669b1a0a4b5878a6ac9a5

SHA1
ba301e2014cbc894c8acd13b2404747a019e9af7

SHA256
9f54ae182d6bd0d39edda4aba92615bb28bf19f150ada4acadf30ba0dd70e1af

SHA512
a31a0955663a8d5ef6d0aa4e7d7e4bec0f22bd9f3c0d6ec63a65bef51b9c73a83da767ffa96bd4c2daabdc7a3c256f51f5e2470ff66a6aaa6f40f8c89af30f2c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
305KB

MD5
2bb8590ea9a65abf8dae8f406f05d9f4

SHA1
0acdf392c8b67d85f0677fcae9264870c7c8b170

SHA256
1c6ddabcb4b98fff046916f5a1b6033d38f3b68fe98a8ed8915859933fbf55ae

SHA512
c04cffa29cfaea97b127615f8f95c079f45d8eae9198119ca9a2e9a187285c82ac670dc324bb4e89be35eaa27642f767306d2fdeff0d5082c8993a166ea3d164

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
305KB

MD5
80b497b16b2025f015fd6702fbf0a9cd

SHA1
c06f973a8dd8f533ef20a9e4eaf20d6484c5ba9c

SHA256
a6570d853d9daed1b5d47e1dd910de62b05c08a7830b1d324adfbed4481e5a45

SHA512
7ff86aaa9792f771543b13bc17d26a3441d222c11b8b01518a6dd3edd27c52ae98663b6b1a06557ea58d308c1c1ff91b3c163d0abc0fe69844bcda300c43325c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
305KB

MD5
db1191576cdb5feb9e1b8896caacc231

SHA1
6b80b22384e6be781a86ff99a968fb8537ec4569

SHA256
7ff34d581bc9c0f8bce70244109c965d2d9be74c9c44957e5c9325d2e1c43e95

SHA512
abada9963b0a5ac2083a2b47a9eb23e06e42a1c1b5de4f5df66c643d6de9d49aa6212ab495d39b42464784e8c6b3b0cc5a9c0cf173109aced7cb4083b3330b76

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
305KB

MD5
4493216c0e7ccad47d703d60282200ce

SHA1
9fee929ef69e9122bdaf967c9d3fe846d3fe6394

SHA256
5ee585117b6e16cd79442bbceeec2df150a5a1a096b3cf190c9634208ead985b

SHA512
8f6c156fbeadc263c0d80fc09c05435ad5ff67bb92f2ce956869798106b042c48dbfb7117ae7ea4a11f8e14007bcc9ead0e8cf5e75d83c9c73033efce3233ad8

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
305KB

MD5
b46dbd1adc94be16abe9fc6b1051c6ab

SHA1
fd229dbccd5eaf92e7255616c0735ae9fdbf30b9

SHA256
5615316bdb8aa0c8c1f63a069496808992c0878c8b0c884d33d5eabc31642867

SHA512
a1672cf8bbfe559fccd035d84cae19ac4dab54ef72d64f75d2314efb1ea6cb31a48588e5528d87cf15a8a437c5d4d8482437e468533e9a7f8c97fd1b37d354da

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
305KB

MD5
9d9a9cdcc61bad1e18b89cceb6b81a2c

SHA1
9336af285c3aa104c7e9e0db1932a2eb4b459687

SHA256
209cc3f6c129cc30ac564cd74a7d0065332eec1cd474ae1523212c3a1d41c4ff

SHA512
7e9daf3b63e65c83e7e7ea937ecfca35adb4f3afb9c8551f00f075c3861e42ef6f3b630e9d6b86d58337cdd0f4e89dce2331fd92352cc081923340b4c2797e34

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
305KB

MD5
0a0da3b22370b6bfc8167878538d9207

SHA1
c048f058f1362aa2232399a91e653c67d668ade3

SHA256
ad3d13f434016212e9b0e5bcff3cce869e45849d1dfc48998af8fa2ac1766fbd

SHA512
36d7c858ede43b07c8617cea2bf58cd9460bda767f8e99d2c82cdd07f94490ab7950a94af9d66c0e2621abc192183f5823a5b4fd994f4a9752398bfa4d15952c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
305KB

MD5
aff44448da1e6156ddc367704a07067b

SHA1
7b0132ff97044e70dad1218c381f0db8fdb58fca

SHA256
3190844f13471dfd40277e2f11f1514f04ec1bf80b9f81c11106f86e5205a971

SHA512
4957d63ee7cfe24c5074c3fd57a7e064c8090ff549fa97d0462c0d9b24be43ec874f81c031fdc00076b63060372a51d27525b8201f3c49ac141a007c3601a2b7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
305KB

MD5
edb9c68ff729edeffb7761776537c270

SHA1
3a0cec9c47de1173db2ad95a907f0dbb715452f2

SHA256
e7b1aa38430ec114d33bd843c360c3d33212f67bf59e653db9125eb4cfb86d80

SHA512
97fb0236b295ff7330af2dbf77d84fcbe909fd687d303cd55df410946b0faa4953d7705a6d87a8ed5e6068c7aa479e17df2c91ae7418b3351d719ba26224b7d0

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
305KB

MD5
b43cc0103eb09d51760b7169fefaa514

SHA1
910899ddafe1b57f1860d24657012c097773122c

SHA256
471be5ba82d45568f67b875a3d41967c12090ca72a1fa58c96fe436d1b4ee5f5

SHA512
88f83812f124e46d9401b83cbd8b0b77946d5c9665a16d1b2966ed7666b2878cb3c1b601bd95d29d8702bdb5e63ea195f957633d6bffd7137112355c9e733c61

Download Submit
C:\Windows\SysWOW64\Najmlf32.dll

Filesize
7KB

MD5
002ee0a4e3fd79e72bd3a50d2ab354db

SHA1
8e9562c32cf82094b81d85903fdd4b79075dafd7

SHA256
2c99e78bed4e629d967e4945a51ad43674f678c03fc78cff3f48d1ee36258b41

SHA512
c1336ea9e326075b98e95fa3a4eb28c177c022fead090f9aa76f2f2b6f8df4cf7aedc1a9bb004dcfa21775f45c610cf1815f9b54cc2e25152901c28ec00e9edb

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
305KB

MD5
eb9c35027564b90dc7373ce31f19f3ed

SHA1
a2e1969d6bb8e4289f05b58f7af1788c1257f192

SHA256
6e29f96d55aad59d0fbd237910263dc2706e1685515432511bebfd897fa42612

SHA512
ef2fdca895b2957bb96d0e8a6f8093f8eb4434ebdb0be1245b3cb7ebf4d895df6130b194fe44eaa62908093bd3e897ab01d5240e47fae6452b53476d98e11b58

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
305KB

MD5
1423c580942820d6913b7078e5737afb

SHA1
0763d5ebf834d7df8848f250bf4347f34481fe67

SHA256
ae5f20df2c5488922df1de48b2b7b967dd90eed10ef8ff0872a5f65bd38e43d7

SHA512
aadb455f23eed1125290cf13ee952304dd825f315c4b6d8aa1c0a5eeb7cedfc8f48d33dcc9da0afa16367fc646a9309fedd051823582eba9be5ed98a6496627f

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
305KB

MD5
ebc7086db56d5822cf3d3bff299cbaa9

SHA1
414bb00a29d418e7959ad227b9ee8dcc39ec039d

SHA256
7e87314d3a7d86b0d5294c5d6a036dae992275d6a5efbe398df57a7cadcde946

SHA512
c7537070656d93d2cdff3cd947bce2a8a4ae4c8f6e39a879e79ab8acce6c6da0863a9e10f0219343394bbeb199f0eb8e8d45b058248a1282a9dfbbf511767312

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
305KB

MD5
004e7bf98fcbc794e90a99fe005a7f0b

SHA1
fa6e767e13f3ff0a0441c0c87e65c6813bd0019e

SHA256
edc4374f111316e1b58e5ae9fe7d6d1499a0b7016206f45afb2479728413765d

SHA512
2ca602b2491f0006c3e0576b9fe578ea17e351cbf9ffebd42d504d4e853ec035909e7c7c942d70cf651e79b641c9e69557145ba9672fa8d05be39bb216a2f370

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
305KB

MD5
814ee130d5fd47db591e786d5e19fdda

SHA1
2b14e00ca5689fe09cf2d040cf0d964ec65af9ab

SHA256
5ea5e191953057dbc62828447893672461848ee16af384a69c7a42dca837be33

SHA512
bee98ccee59a66beaa207dfd6c8338d1a68dfe6a84281dbaaaf0e00d8e432123633cefbf83f45ab46992d5362be4ae3ea528d0d1e6025f9ea496559e73c4ee03

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
305KB

MD5
f131059f37c18c0b2be1747bd2fd10c2

SHA1
3ad7b9fe8c378e8afe7c1a4c90768875350f153f

SHA256
43c366235e741ddfbfc6e2909831a085cef23fb465d822abb8f7ba8423a2ef60

SHA512
689700cd337909abc10fe9e8ad26d37172db8860e280dd1db0258d9c7bf9f70b824261a55dfd7038fc03234158243ac51f20127d92244edd6f118c345c07c9e9

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
305KB

MD5
f8e90a43ba24d15f8eae393e62b09be5

SHA1
40a12931a74656362b3967fd39af79a88c8c6a4d

SHA256
b5ca70848d83f28b533d4f4229e1563d3332063cd2238ab55c1e840f762809d5

SHA512
9b93609fdf48745f41434149f4e88e0c4c43dc3f9e24615dac7330b0f8f83327ef72ef0397855c9f259b22239969929d731e7aeebcbad707b4b852a8e4b7ed14

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
305KB

MD5
06ce8dfb22896b3ec1e4083518e9c137

SHA1
219a5f070bce7bb3f7c4c045c34febaedef83feb

SHA256
2251ca7dbbdfbf76b854355072085a8152a302339bc1c74014061939222ecf51

SHA512
f64b498ead76653d25c255efe882dd5e9638f2dd1d9373ddebce3e7384be355c707f2996a55f04c28e17a9b7f6516375cc0396e857b35bcf891957a995547680

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
305KB

MD5
110a8ce2ec8c83ac260c7ee25b037eae

SHA1
6c0fbdee1dab2efc092f1becc5da05822d9bff4a

SHA256
dc4b8e7541b7b46c4d555215b35f457bdc1e6e9372dd5e7131d27681f012f0df

SHA512
bfdd1d0a6d2dc4ceb79c3e1102d0320d2ff42f3e254d4fed85546de4ca2788100aabb851f71cc723bf3f2aef3746e33fc88a6baffcfaaa70a8172291fe701e3f

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
305KB

MD5
99c826efab763193a4964c5e0b957455

SHA1
efcc9645736478aa0617c0d79c64a1d970376f62

SHA256
b8fb49c05b0f6767172abd242e736fc7ca84748a6b54e9589b01a43ec64bd848

SHA512
47c782327c7bf0564d9882082384c4a22b8a297530f2d0609ff99fe0557e26917bb152d19a2aecaabb5f13ce1656fd03486131df780999943090f7aea53812d6

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
305KB

MD5
7570eab16b9b2b91004408a78e0b2657

SHA1
88bbcc32731033a9eff00fc4be99f684adae490f

SHA256
c8b81e30d0303609d7d21c6f6aecb47adf07950d81d1545c22f94db43bd3fc08

SHA512
ae3555c61c1e8f382751208be34a86b41a21289655b152c44b3696be59fc4379bb5c1660e8588458dfb7a90a5c6800096efa053562fbc1722a3733b541c53500

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
305KB

MD5
61f07dab3941af7762a286181dcc17e6

SHA1
11140641966a9d69719991c51b943cf86fb319a6

SHA256
b1c2a1c980b14d2d7fb4a9f84796e787de78dd5356d9eee45685f49e9e56a526

SHA512
6138eed4d5fb4dfdebd1bbc8a2ba2c47937e0885c0999b2a390f6dd6d6c1dfd923f34bc7ec416fb11ef5556d2a4890edf211e4337fecf22274b1ee1b3fa7a9e3

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
305KB

MD5
ed1577cec49990314d84646f42a70e07

SHA1
49f7947ba4c9e83ae943f65db603e8d60eef9aff

SHA256
c126388b14806af03b7a6d1d4df469fa49960bcb2b3fb19bb8404dd7b98606d8

SHA512
15f62f8b05a55630fcb2312024a3eb330320577f87a83053566912f840902e563a6eaffc6dd1bb5a1a3d6d70dd5b4836a7a273bef1f250eef8892e4b825eea30

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
305KB

MD5
f9d510e8b79d65e384b87c62783fa972

SHA1
e3651d536eb7542f3f00538b9afe6eca9db23595

SHA256
2a8d4f483cec2261a10cb2768e8cdd9daca112b23a843bab89f775e008c36a3c

SHA512
59225cc6ed57f02658bf3bbb27b814af686bef3994a52dd80d2de922649990c39f6f85662d873d6393106eaf23d1dc23b306f0271468f515fe4caf6fdc52e552

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
305KB

MD5
71a1a9dbe89608ff1e4bf25cabf03119

SHA1
37e0cdb8734f477e58e4dc1fcedd875cc033da19

SHA256
4d12cd1581e65308261a6bc9461da3ac6c4eb10a1501beebcd1d66468171b336

SHA512
b24ca9a40b4b69f1f62c36f4df2d86c45a7adf37c4e542a2b76d8ea752972d162c6f1d41a044d93b779c7bc9862c05e9c76eef43c89ead5219771009c6d5c768

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
305KB

MD5
65fe386e745df8f324c0a99b92141797

SHA1
c54d4055f529524c4875bfe08bfd2e6633d9bf8e

SHA256
a7ab27be6e2709b55060ec25f6ad987af63d20790a97bff7f0ca60b6d0090d7b

SHA512
c8d8362b5b7e5066d2c22d783d38682f27bd1e5e141d59256a4cdb53a69130af3e1f68e49d1da00f4dbdb01ca579749075f9cbb19a5093eb10d9360067cff7e0

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
305KB

MD5
77fbe2f7b2901e99cb43044192bd08fb

SHA1
7b1a7ecc7ebe507851d81c5ad6557cf6ba7629bd

SHA256
5572b4c8058308d519ed472c0f89520255a0bd5cfef59eb58512ec7552ae7aa7

SHA512
8c046a21a99017a984282b76aae0ee6aa6a0e6bf6bc50f01edd5c07e3c169c5f85325e9124280c49621a3409957f1e5a59ef1f491475748311ae6ff51f5c2a32

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
305KB

MD5
b8c67c9a0062334b5166f337cba52d7f

SHA1
90faf4dcea042176761044ae717d2387e018229a

SHA256
d5527a9050d25c6af6e9436b8c8482d0243560c6a05205891a970d43c6e2654a

SHA512
28efe1455630b34a196e9582c0eb58dd21c03b1a455f6b019c84325467adf8aac4daea0fbb5d2fd83b5b19b5e85b81115e01a7f4733a0d1ed7ffb0adf7d84815

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
305KB

MD5
749055e24c47beecf2c55917c52152ae

SHA1
76cd65b56909d3dec61b91ed871086740bdd93c6

SHA256
9fe1bd3e17dd526625ae076291962c0aa2de53fcf6bcaea7b1f6a93c9730a170

SHA512
aea2a9e898d54311057c0dd8403502c5e4d9963ae399cff17e77ff465e9395a9f78e88b1eb2107d06dbd5941753453cf25923bbcbe7de7129a55978a64f66289

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
305KB

MD5
2e79106bad533a4840976cd019bce2e4

SHA1
23f7ff6ed85a8c0880212a6be3cca9e213dcbb8a

SHA256
c7c503aea0afd7734b295dc93607dcf54bbcfc17abed5a26b0085bd048fa8483

SHA512
5b584d041558f549874eab7e9b9abf28d7b71b86401872fc34b4bd55b7882f15a74c3bd303c7c6297294e9b4fb6eca8c5b597ff28b461f608b5b606e9f4d7e16

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
305KB

MD5
6ea361931be7aae9526fda84e0fbc309

SHA1
f4119874580ca7da4999a87c2154b8f8da0e22c1

SHA256
004e08a3355b98c7d20a4b147fcc5e7cd86c70f2304e5aaea434fb0ec075dcf2

SHA512
33a6e3c1ac7ba35f95497c0d84225bbb6b6d24c46ecec4107b794f7072102e82a2259850488491a87c81d32459a2a7fefd1e8c130c20ddaeaba9480808742757

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
305KB

MD5
80cb08fd95a37afd9b9846d534ce92e3

SHA1
5f820228498590cebec52ae5875bc99737694668

SHA256
1d7b28d32253f43013081d3144bfe8f28460d77e7522a4e27034756c5e87ac31

SHA512
9d5ed603aa19c70a1109a2cd01f285ea146d14cd9b4b8db71f07d46d8087c8bf5083f82a632d71c8090ac628fe067f49bddc9baadde2503b883dfe3a72d190f8

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
305KB

MD5
ce675c3a4072c099a684aa3b0f35ff63

SHA1
ecd356bd59994ed6c1317af3ac47a40ba3e5a6f2

SHA256
1b0610166d60cf4749a78a1418994537e0f2c9dc9afc363a8053392a65cff943

SHA512
5176a46ef1c1364db411ebfd662f5ce8df6aebb1af9cac6082f606aa899e711cdd7d5e6aa801bfee1e2e2f09d0ed10adc1e6287d646080ad1874bfd0c69356a7

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
305KB

MD5
5bb2bca7e12e14b4823aa6965284aa8b

SHA1
9fc82ba1cd95bce732e3e45285cc78b3bbe9fa0f

SHA256
ea880c6d5031e70cea9c1a0fdf45368bb2690a27f82d522d501eef1154d3c313

SHA512
e16980c9563d892449e8990015bba2212ce16baa7d35af8453d4f3cdf51e10026e24fee2fb444147600de091b2adf1f2f4ff73b3d6546df9aeabb3abb66f57d2

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
305KB

MD5
7ca6884b27afa1dd852a1b82dd80823e

SHA1
17b4a7fbaa9f52eb71447bb42ef24ab37904177a

SHA256
f546b2b127541da00a7819628ed9f932a45e5ec770b9c580bd1749e6b7aa81fd

SHA512
3db492ab0e3f52f8cd0a8b8b4cfafadf2215d021f1c9a2ee6c8b2ac0f2e5675e60d32e2ea275f80755ac5e88f9fdfffa0b5c07ac8339eeadb08de18c2033c54f

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
305KB

MD5
ce88bfac985b62f2bb3d676618733830

SHA1
c01c2fb5aa8aaaed2b6588684769366c321ede8c

SHA256
4e74d51d4794cc961dce66a8ebd3b67afefcc5ddbea722c51e7712d932bf3e84

SHA512
284c2d18b14f8b21409a9d542d1b2d2e9e02feefbb4ba534970b3c3e2fc451fda2d23c5d28bd13193c16da9ec547da579867e547aa421d44d00f5a6172c20200

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
305KB

MD5
6e79d30d330989d909222b17996e200d

SHA1
641b3dc26f331d61d427d286080ca863ac9cf4a6

SHA256
fac26db2e1de327e16d16f5c23c6a40ee06c59c1a6fd0e479bb3448e4cc850a9

SHA512
9f91e43e8e1982a72d7cd610559c92a7b6233549752d4d352d1e6ce7d4abc35f55f29d3d58ff5a0be9bf4cb80b377948b6809ae473231067460faf536ce8784d

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
305KB

MD5
25eb581ef161585aa087d7a5c68d53bb

SHA1
c7a64d093f8588cfc9c1f62d90b1220d3ca4f0c9

SHA256
e01c347c233ffef8807c0cafd98e59f99456dc0d6fa616c77742e74698327db0

SHA512
a61e6b24700e1e8e451acc4b9d807d809031efdca3f0f30a114806e9c5d5329ec17d97c36066f998f1fcbbea2daca760cf0f24486d726afa8e67e6a62d409c16

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
305KB

MD5
fa4e4c4b037b966b4e14648955f55f0e

SHA1
8f3424b76902e295efdcff503e84d803c7258105

SHA256
2e54534b010bd17d9b1a5d7acdc7a8d68f3d32bc0806de7b61fd22c58c946234

SHA512
6ae0763d3951fbc9a38a6e9a69225e982b48fbf3dd959f0e5156a6940105ec8c1dc0faf9158129b8d4b37c9c2314a297dc9246b14f95b5bd0acbdf43aff0995f

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
305KB

MD5
0106b3b1fdb3d8ffed254e8af4f20d9b

SHA1
e927d3900ddf1aba75e9190d3adefab42048b986

SHA256
5b39ebdbc46afdf062d55e3f373697f429144e737b850a410f1b2900f1066647

SHA512
68b999393f9f997e62421d39ccd559349f2ae35b82632276988c954146cd6360f5c54b08d8a72517b9d948a16eb3c9063a9d5ea66f48025bc1bedb145d377ddd

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
305KB

MD5
4df3c6520b3ca293236ac43c9958ff32

SHA1
9e6483aa31224e44e85633dfbde88210e491b1dd

SHA256
f1abade4b495f77cba9b556b106328308eb893989c6d46a586231bd53d5c0a39

SHA512
48d511b93d23f8a9c2c2fb55eb1aac41ee10c926b6a1a1927341a3efacac02935b6e7822b4860b55f55f60c4f4372e3542bd78098262aa391ea28a87e0694d6f

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
305KB

MD5
0003eca68a2d90f8942f6818e2cfb7fa

SHA1
951d29a76bbc0d653a2799ab3db7092a1c7b16c0

SHA256
4ba9344272409669d7b894b3b504507cb491b3cf8443d07a1298282dace7cf51

SHA512
4417a2bdd443333b0c068ea3986f966e5219e317801761303ced20e60b519c92e6250b0a0fc3581019f3a98d0f8916254c1fb8f27d1af1f8fcfebc651ae2cb34

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
305KB

MD5
a8a714fa93caac8d1317a5a509b610c5

SHA1
0500ba659cc493d4c6528422f33c970a1d3b016c

SHA256
10a71081b9cb246b8ce516c50ab783b42162665b8a9b9174fe36a3202c478c29

SHA512
0f611736e59ed2263c88f5e0c79d18ca5f052e82553eaaccecf8896fc831800f0b06ccefc1c811d3d8e89db142a9985f997dfe544db6c5526a4236153e95619c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
305KB

MD5
a10f46aba3ef419f0f4ac236e50b3849

SHA1
c6b88810ca2bac6e2ace8361a41609590173d160

SHA256
8672ffd41a41c1e0a84dd0a2361d7c12b7ccadf4bd4e2a471151c6aaa9b7d7aa

SHA512
b68b512aebd98434627ef7efc51ef6aaa81b6ee8a12520c28d6fe66493da15f7629f856234f3159417b6b374571c63e50c896a762de29f7b4226de65ae4d5fd8

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
305KB

MD5
879d35e59b6e25b58b1541dbb3e66776

SHA1
957f5d1c5ea67776547255e0bb4fd5520b5a7353

SHA256
9911285548e1e62c05e687f4779d86e271b2a23f626421513135433ef95a4e86

SHA512
237ed56ccb5d03e2b730dab703c7ec277e7baf8a733a26a731ab19114ea1e313cfdd0cce0b6390d3f0df7fc30a805cb0ea64b2dc36216afd475cabef10520d78

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
305KB

MD5
b0db84a40c8522fe4e79c3d9ee5a753c

SHA1
eec8f51449262668133409dcf349574b19a9bc5f

SHA256
c2acf1a25e3576b5a269321e6fa5e511908fb2cea40eb1838b7320562086cf9a

SHA512
05e85c491a18fc7720517bc0002e2e5312807b3b81030981acee48373b41bbbbd30a7f2d8dfd92f73a24bc8a9a7aa85feda7c7e609fc44cbed84baa6b40b8fc1

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
305KB

MD5
7c18190d36e6d60a44050ba14d593e4e

SHA1
0694866e6e9a3351a22184c9e6c1c68ccc6ef300

SHA256
23714e934d68f679ffec58eba7f343117d343fff4e079c40743793149b2b3fbf

SHA512
e9bddc782f842580a48c305cf493a216c382e035ad19d1e2d738c9b295be4cc8932754b94bff38892bd442706e8851f8554ffd2a43e06ca7f70d0d5c6a7256de

Download Submit
memory/64-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/364-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/384-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/416-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/724-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/828-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/992-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/992-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1168-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1372-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1740-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2020-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2384-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2580-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3080-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3120-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3764-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-433-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4324-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4664-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-536-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-788-0x0000000000B10000-0x0000000000BCF000-memory.dmp

Filesize
764KB

Download
memory/5048-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads