617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe
Size

324KB
MD5

539cccc7a5b19ce2d75f2be2da365f68
SHA1

8f0744341eeb47f3d9cc7185426a15b9720b0d72
SHA256

617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8
SHA512

7653306c3272b272cab015a339f3d460c8ba77c8d4f8e884a8773b5a675871b7bfe7f47d3cd3779ed01c4287ba150d647143ece3778daadcc175157d704c63ca
SSDEEP

3072:ofy7ece6iCrxdbMqlWGRdA6sQO56TQY2mEmjwCzAhjQjxNX+W5RK0:Rxe6iwbWGRdA6sQc/Y+mjwjOx5H

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe

Executes dropped EXE 55 IoCs

pid	Process
2148	Nodiqp32.exe
2740	Nfnamjhk.exe
3212	Nofefp32.exe
4036	Njljch32.exe
740	Nmjfodne.exe
904	Ocdnln32.exe
3508	Oiagde32.exe
1952	Oqhoeb32.exe
4580	Ocgkan32.exe
2440	Ofegni32.exe
3588	Oiccje32.exe
1084	Oqklkbbi.exe
4656	Oonlfo32.exe
4496	Oblhcj32.exe
1696	Ojcpdg32.exe
1732	Oifppdpd.exe
3076	Omalpc32.exe
244	Oophlo32.exe
1600	Ockdmmoj.exe
3752	Obnehj32.exe
3224	Ojemig32.exe
932	Oihmedma.exe
4920	Omdieb32.exe
1844	Oqoefand.exe
2484	Opbean32.exe
3440	Ocnabm32.exe
392	Ojhiogdd.exe
2036	Oikjkc32.exe
5024	Pqbala32.exe
3632	Ppdbgncl.exe
3176	Pcpnhl32.exe
4312	Pbcncibp.exe
4868	Pjjfdfbb.exe
4972	Pimfpc32.exe
4784	Pmhbqbae.exe
4464	Ppgomnai.exe
3052	Pcbkml32.exe
4984	Pbekii32.exe
4712	Pfagighf.exe
1332	Piocecgj.exe
1344	Pmkofa32.exe
2352	Pafkgphl.exe
896	Ppikbm32.exe
2796	Pcegclgp.exe
3532	Pfccogfc.exe
2400	Pjoppf32.exe
4316	Piapkbeg.exe
2612	Pmmlla32.exe
4608	Paihlpfi.exe
1136	Pplhhm32.exe
1148	Pbjddh32.exe
3984	Pfepdg32.exe
1568	Pjaleemj.exe
2360	Ppnenlka.exe
2356	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oblhcj32.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Holpib32.dll	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Pmmlla32.exe	Piapkbeg.exe
File opened for modification	C:\Windows\SysWOW64\Nmjfodne.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Pfagighf.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Oqhoeb32.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Lhnoigkk.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Pfccogfc.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Jdockf32.dll	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Ocgkan32.exe	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Ofegni32.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Obnehj32.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Piocecgj.exe
File created	C:\Windows\SysWOW64\Phgibp32.dll	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojemig32.exe	Obnehj32.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Nodiqp32.exe	617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Omalpc32.exe	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Fefmmcgh.dll	Ofegni32.exe
File created	C:\Windows\SysWOW64\Lodabb32.dll	Omalpc32.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	Pqbala32.exe
File created	C:\Windows\SysWOW64\Bmgjnl32.dll	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Oiccje32.exe	Ofegni32.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Oqoefand.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Iheocj32.dll	Pfagighf.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Mckmcadl.dll	Oiagde32.exe
File created	C:\Windows\SysWOW64\Ojcpdg32.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Oikjkc32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Pmhbqbae.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Ppikbm32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Oiccje32.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Kajefoog.dll	Ppgomnai.exe
File opened for modification	C:\Windows\SysWOW64\Pmkofa32.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Njljch32.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Pfagighf.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Oqhoeb32.exe
File opened for modification	C:\Windows\SysWOW64\Oifppdpd.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Pcbkml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	2356	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkbkddd.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknmplfo.dll"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffaen32.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oblhcj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2148	3520	617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe	84
PID 3520 wrote to memory of 2148	3520	617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe	84
PID 3520 wrote to memory of 2148	3520	617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe	84
PID 2148 wrote to memory of 2740	2148	Nodiqp32.exe	85
PID 2148 wrote to memory of 2740	2148	Nodiqp32.exe	85
PID 2148 wrote to memory of 2740	2148	Nodiqp32.exe	85
PID 2740 wrote to memory of 3212	2740	Nfnamjhk.exe	86
PID 2740 wrote to memory of 3212	2740	Nfnamjhk.exe	86
PID 2740 wrote to memory of 3212	2740	Nfnamjhk.exe	86
PID 3212 wrote to memory of 4036	3212	Nofefp32.exe	87
PID 3212 wrote to memory of 4036	3212	Nofefp32.exe	87
PID 3212 wrote to memory of 4036	3212	Nofefp32.exe	87
PID 4036 wrote to memory of 740	4036	Njljch32.exe	88
PID 4036 wrote to memory of 740	4036	Njljch32.exe	88
PID 4036 wrote to memory of 740	4036	Njljch32.exe	88
PID 740 wrote to memory of 904	740	Nmjfodne.exe	89
PID 740 wrote to memory of 904	740	Nmjfodne.exe	89
PID 740 wrote to memory of 904	740	Nmjfodne.exe	89
PID 904 wrote to memory of 3508	904	Ocdnln32.exe	91
PID 904 wrote to memory of 3508	904	Ocdnln32.exe	91
PID 904 wrote to memory of 3508	904	Ocdnln32.exe	91
PID 3508 wrote to memory of 1952	3508	Oiagde32.exe	92
PID 3508 wrote to memory of 1952	3508	Oiagde32.exe	92
PID 3508 wrote to memory of 1952	3508	Oiagde32.exe	92
PID 1952 wrote to memory of 4580	1952	Oqhoeb32.exe	93
PID 1952 wrote to memory of 4580	1952	Oqhoeb32.exe	93
PID 1952 wrote to memory of 4580	1952	Oqhoeb32.exe	93
PID 4580 wrote to memory of 2440	4580	Ocgkan32.exe	94
PID 4580 wrote to memory of 2440	4580	Ocgkan32.exe	94
PID 4580 wrote to memory of 2440	4580	Ocgkan32.exe	94
PID 2440 wrote to memory of 3588	2440	Ofegni32.exe	95
PID 2440 wrote to memory of 3588	2440	Ofegni32.exe	95
PID 2440 wrote to memory of 3588	2440	Ofegni32.exe	95
PID 3588 wrote to memory of 1084	3588	Oiccje32.exe	96
PID 3588 wrote to memory of 1084	3588	Oiccje32.exe	96
PID 3588 wrote to memory of 1084	3588	Oiccje32.exe	96
PID 1084 wrote to memory of 4656	1084	Oqklkbbi.exe	97
PID 1084 wrote to memory of 4656	1084	Oqklkbbi.exe	97
PID 1084 wrote to memory of 4656	1084	Oqklkbbi.exe	97
PID 4656 wrote to memory of 4496	4656	Oonlfo32.exe	98
PID 4656 wrote to memory of 4496	4656	Oonlfo32.exe	98
PID 4656 wrote to memory of 4496	4656	Oonlfo32.exe	98
PID 4496 wrote to memory of 1696	4496	Oblhcj32.exe	99
PID 4496 wrote to memory of 1696	4496	Oblhcj32.exe	99
PID 4496 wrote to memory of 1696	4496	Oblhcj32.exe	99
PID 1696 wrote to memory of 1732	1696	Ojcpdg32.exe	100
PID 1696 wrote to memory of 1732	1696	Ojcpdg32.exe	100
PID 1696 wrote to memory of 1732	1696	Ojcpdg32.exe	100
PID 1732 wrote to memory of 3076	1732	Oifppdpd.exe	101
PID 1732 wrote to memory of 3076	1732	Oifppdpd.exe	101
PID 1732 wrote to memory of 3076	1732	Oifppdpd.exe	101
PID 3076 wrote to memory of 244	3076	Omalpc32.exe	102
PID 3076 wrote to memory of 244	3076	Omalpc32.exe	102
PID 3076 wrote to memory of 244	3076	Omalpc32.exe	102
PID 244 wrote to memory of 1600	244	Oophlo32.exe	103
PID 244 wrote to memory of 1600	244	Oophlo32.exe	103
PID 244 wrote to memory of 1600	244	Oophlo32.exe	103
PID 1600 wrote to memory of 3752	1600	Ockdmmoj.exe	104
PID 1600 wrote to memory of 3752	1600	Ockdmmoj.exe	104
PID 1600 wrote to memory of 3752	1600	Ockdmmoj.exe	104
PID 3752 wrote to memory of 3224	3752	Obnehj32.exe	105
PID 3752 wrote to memory of 3224	3752	Obnehj32.exe	105
PID 3752 wrote to memory of 3224	3752	Obnehj32.exe	105
PID 3224 wrote to memory of 932	3224	Ojemig32.exe	106

C:\Users\Admin\AppData\Local\Temp\617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe
"C:\Users\Admin\AppData\Local\Temp\617bbdf47148044a26e256494dd47f82133901462f7a8594835b67ace4aac3f8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\Nodiqp32.exe
  C:\Windows\system32\Nodiqp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Nfnamjhk.exe
    C:\Windows\system32\Nfnamjhk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Nofefp32.exe
      C:\Windows\system32\Nofefp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        52⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        56⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 400
        57⤵
        Program crash
        
        PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 2356
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
324KB

MD5
6ad80060b8e9fe0883ef7b5f31715a4b

SHA1
8fc7bc231e2c0ccd3867cfbc89836d49048ded36

SHA256
580c64cfa865ee11cc142d5b98e5fcfd4b3acc2f622d86468aa6262de54310e1

SHA512
f1b5ebb2eaa9ebe35c3d0bb0408cf1b80b9e70a187d61fd4660b0e8849233b05adeebe27a6a0bb5d133ec971614c3f10ab69a78c22e52017b6b9e7298ab3d165

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
324KB

MD5
56b93d469412cc0ab0d681edb8d10e01

SHA1
ae18ac2fe424f79dce30f3ba98db4e9966ab8a87

SHA256
d0e6ade5f82e4c6ba7a8f04d3847ea61410d48ac113b7387b716acd3736b39a4

SHA512
fb4d39cb09102f370599ee3ec83d5d25b5fa62719c8c6b802d1f8969aa5a8d0a783064323cb102b410055e902bfb7a518b7e2153d9d89eaa874353523d4e7d19

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
324KB

MD5
5be610a036803e279397f25f0b834894

SHA1
7864d2f82c31073f0500b095fed591dd7892a192

SHA256
197bba79edf533213751776b4b8ab77957265c480769cc2fd99c97c4ab409a6a

SHA512
ee5d8c43fd5662d44b147ad8cb4c6066f25fb2ab3b5891bc6e007eab6232154d49b0cb63be20117d942831f9129f82bf972fb3f842a608415f0406f698fb4851

Download Submit
C:\Windows\SysWOW64\Nodiqp32.exe

Filesize
324KB

MD5
2fd9196bab14c152862e8327bebddd0c

SHA1
0c940258ae47a84ee78da274cc6f075d5555364d

SHA256
9f05b5d68c5f386992df4ea1b7c406ff070e8cafb25df75250c4927db40f1b54

SHA512
52e181122b51fa2ea0806f687d496b9561371b748e2ddeaa85e1432ae2986f41cb67f24f7641ca0d5d92fe3560e05659f6b00934771b92a1e7ee39b6883425cc

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
324KB

MD5
efdb52592e38568e23d6a673321ef838

SHA1
400c7fa023c0db062efb5885ada9751272d48e6e

SHA256
7a9671e4fe46693541f27a95b4ad08f1de9cbfcff107bac2a549fd34a8ddfc12

SHA512
62542e3c54fce934520f6ba115ec8cfdd21fd240c0324907a25212e658d3da06fb8159d9428ced51e6c5aa247ef3fb1a37c1617241bab9a941d9b945c58cec2f

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
324KB

MD5
353e77a8f90222f711e90983d19d81e1

SHA1
a6b4d8179e31616bbec547bad34be7dade4f48b5

SHA256
33301876f78319e22544e960aad715dc816004d66440b1c9c2ea935f06957463

SHA512
3ecddc0f04bcc81910ddd1fc265636cefe85097bf1925eaa20f033235453cdf4a834e0f48e27dcb5a92d7a58548112226f3e7aa422df9c50e6d7c1d54e3c21a2

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
324KB

MD5
e4ada2c234cf2d04fe16130b6b437fef

SHA1
bc73b1a3dde5783c0642c2dec93d0d49f18c55fb

SHA256
154b5613cb7e0554f3b952d586ed99af847d257ebe54818988342cf95600f21b

SHA512
0d16ac68328db224d9ac1649e910771d26590948f5aec28eea9d0a578bd35e653ee6b111ff23f69582e79f805e5b14eaa54d97d22065d9b6f63f3773bf24e22d

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
324KB

MD5
1800b6c84a1ae0edbdd445e058a4ef1a

SHA1
21a42ed42b0dbb5e2b6ff78fab555d0559f415c6

SHA256
e1812e19c31a93e62c37f7a87d1008d53b2db0099a1db7735e6e8e70820bcd7f

SHA512
3969bbc521a95c09c8edf768607dd6649cbd37881ccac1ce2ab5ca1bb40c2df716732cda89542d867e197f5e3d44abd5b9ba641430e0997c384fe0095b708800

Download Submit
C:\Windows\SysWOW64\Ocgkan32.exe

Filesize
324KB

MD5
6e18739b8ac5df8c7f9dac835360a746

SHA1
61a581bae1143bd890e9df3f1c0a9c520c55d0d7

SHA256
8066eb9801e0d3dbfcf116b4055a4d41bc19a15b342f192e2c4692adfe47c00f

SHA512
0d885cb4123de9e48bb6e2a07339a9fe473b6872418635fee5bf117f0431eb1cd6cb9e8a44148a934a218c38f2134e0ac899dc3c43f71342b55ba82334be73d7

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
324KB

MD5
7edddc346da6b23123ef7aea6eccfc78

SHA1
d77a6d8f1149255d0f8773a0f60ca41ebfd777a4

SHA256
31165f2cf1ea37ff68bb3ea2cf73a3d72aabb7b1553c4f49b4d5641981ee1aa7

SHA512
320487000dd013ace3c2f35f30654c2c4eaea9cd47f310de52e993a41edc1848a9581b49c6ca07a624cd96ead4aabde08d20ae860b93e1ccb660aa9b386d05da

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
324KB

MD5
e94daf1a2478a52f97b55dd932198903

SHA1
7979ecd2d692a33ea53a699c314407dbcbcdf02c

SHA256
e7e83e9e1a4349fbe6481665ec066c80c2b6effc4f751aebc18ade8832b53267

SHA512
9a941fbebcf18108bbf12c408b9ba2fab507366aa5678b3d0e0f3a80dd8368ef20f8c8bb80ecb5be9cfa4877ccd9698ec7110bff3c2ee27bcbbc7cbc34ad1233

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
324KB

MD5
75f6fb62e8229ef7fa4f24e755f6a5ef

SHA1
387778da85c5ea663bf56f61511bf8310334ce7d

SHA256
81a561368643f86aab5fe2d00a100007f7e1afb88ab50851e8d7b381cc2a2d6c

SHA512
480cadceab622b292c9124fec5efc658390b95e8c166dd5da4e648dfb5ccd4642cb2bde85d6a152b83b6f67f74493e9fa873a7bba1c5c6caa1ff34a8521327a0

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
324KB

MD5
d0da4318eab6e1c67bbfd64610d6458c

SHA1
1dbd65a386ed80374e15770b16ded0591feb3bcc

SHA256
5eb31bd1fbeb0ba1bdb35544dfbb843742bcb8bc83c124e3fd9b1177486288c0

SHA512
9a1bb112c0e3295df8f248bfe3509c8a04068d728a302a509ca2caba40d125daf59c65d1788fda2bb282446f4ea2af240c69b660508c9ab284ea4ce1587e0a50

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
324KB

MD5
50cf92a5a438c4b23eca2c086ce39854

SHA1
733de18a334af7d9031807002ef84460c150816e

SHA256
c3dfd07de12f8fbe5d917703f47c6067e7e1147ceb98267c23d22029c701945e

SHA512
ec004a05dd8818146dfcc6635f3b565de9ea7206d4d3dd500dad1f7fecd84bb25ec6f52c21b46221630d8a468dabd82917a66c8def6cbe6653d37374904776e7

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
324KB

MD5
2879db73b125b75dd6e14eaff69a8972

SHA1
f3bfc1afb278509d5c6bdf0169505fdbd8726277

SHA256
df8f802863a4bd4df4227110941609df82eeec3dcb4de6a74de783a155cff3aa

SHA512
a52224259ef9ff5b4759bc7847acc1e48ae0964c12c2d5c1ce899409c90fde875240b590290dabeea3b7a5b0b15335399b2ebceec955450ead41e72b40048640

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
324KB

MD5
f3bb1ac92b343b74d5f9875d3840697b

SHA1
ff6bca7cf34b5bcc2ee6820d41c9fd531aa7df4a

SHA256
e808607c18042985dbd9df5358934e0ee4ef4b2acbe649ea5ef6c346fe694e35

SHA512
e3726258f8ed0b583fea33e641707097f6e78e62a20b81eab3dfcee44a5ecd597cfc6790218b5e06ecf147d29cd04c90eed4637eaed7a46909e4c5dd3898bcae

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe

Filesize
324KB

MD5
722fd7923ac3eba463da9ca4de1f5714

SHA1
3f6e147561a44845e7e0d878c471d38251b9d1c0

SHA256
37ebe9377d26cb7be3189e2b632a394ba94c43a7d76b2ab000a2c1a6e929639f

SHA512
af3ef2e52acca6a918f15e3c61d016f6bf3d54b19a6677f6940226ad80109e8c71b13dfccfeb6348931c9cfd12e6337fd074efea6be3011ef80a2f38967a3fc7

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
324KB

MD5
33f45c321b5a190b2891edc8c554c82c

SHA1
0e2efd47794c040796869bb0057486b73c78a7d9

SHA256
955558882bd186d01985785c4f0336dae01f5d0a60f3f2b2762768423f99214a

SHA512
53d9cd488d8b2b2065259c0e2dce708c2966187f150030e1dd3b50f7c87be2d138c9d46598dd2ce1ac907da2f1023f5dcfc3bc595718c7291082858707bcca61

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
324KB

MD5
fbc014c0c7590add7dd1b8e1b9693045

SHA1
f9690a92a47bd1127df57f80017ace07601dd4ca

SHA256
b6f034b4a0122a78ab22d17c0087fb7b3f600d73229ceb0b8098ee90a606dbc8

SHA512
effccaef2ff45db3863748e3842e8c3882742aabdf27c306b8e2c6afc4ad7939596bd0f7b90a72068b9c76063fbd3f3d0b75d95903f19711fdd8d3affd3f93c0

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
324KB

MD5
0faa77409bcbbc52f4daf4b8f1ad90ac

SHA1
84514dc5c80dd76a0ca25e8e29d91ffd86dd3201

SHA256
3a07d1d3f328a4ebca8c24d8eab701bbc5b4c972df225a0bfd5ff49c65b56ecc

SHA512
09670f1d0e59dd8ea737a4e411f6778a0714b7ca14eee466156d71db1828cda4ae4123b0641b1510160f3eac8ffb5b651529d7ca6bc1e2ff9401191e7853a82d

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
324KB

MD5
a76d53578120fbba200e025289dcd854

SHA1
b7ea5675a72f2c57b08c36536a3051341bb896c0

SHA256
1e33820adf983f48625c65ef8c6f7f015ea53ad6d4ac7a2105ce099a50702cd9

SHA512
ff81a9e36d75ab3c38b34cd5e7c47bac8e14928cfd3b931c16387a2dcc43ebb952e309a5d878244bb086306059df825384f57fb8e80e10edddbbe1cc410fc533

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
324KB

MD5
dbfc0a3ce032eed16fd8a26b83ac33b5

SHA1
cca41e6003e650bdd0b3d20c4d8aeaa3831ce5b2

SHA256
c3e6397a33cd49339b35512fa58c398b99a649cf9e17a438f9c4e6fa4b5a3941

SHA512
63d38b3b9713c3330104dd3cd15dfd605afb2fc2bd7f7e0d820c8850e4be27cddba3fcaad217c84e1af7135299f2a0920e409bfa414ca69959d7057b8ffc040d

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe

Filesize
324KB

MD5
a5062cd029803559412d0e97243604f0

SHA1
69b801b5a219850f6997ced934727228b115525f

SHA256
bc7535536e6645335366ee50fd854f435257e7256d034e64353f4b7a80960c6d

SHA512
21d81f411fa8e178ebd83cb55665a4c8c8acbe5481a74b60c6f0929ed49f75aef652a7f4b36ac2cbddc7487af5197163fc0b9a0588898cebc121a455a695ecd7

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
324KB

MD5
b0ec9b1786015fe26f4b52eb722a9b72

SHA1
9806602c30d3de665c92bb2b2fb6ed5c474ec9f4

SHA256
2df5d134cb8f5783c9ae2f730993e5bc1c91db8fbdbe8d634e9096678c89c345

SHA512
6a8400752239cb08113c1a820dfa6c0a2f903b391039992bdb1103b0f0ec7367bbb3767704699d9f0905b5c7a9209dccec3bec6c1648f9996de02506397ae127

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
324KB

MD5
dab9358d2e70a5567f8d6c6f41a107dc

SHA1
9cb6714eec84bceaa2efac292cf47866d1b6ebd0

SHA256
060bf46a38cb1eeba05ebf93360f7f6bdc8a04d2b9139dbfac17816a96390c48

SHA512
7bba9e71779da8b0b6732cd326f937026e5a40ca67836ed6f3ed27e88a9838d1ccbf6e161d099ba49af60600a9fdf13de872a7e24d8ecc206c48e6a53f7c6eb5

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
324KB

MD5
22c1370f44ed778a9380e124229815b8

SHA1
779507a04cacfb0abf82e4894b007d145c4fd403

SHA256
26e1e8e0ae81d417808451ef4e9cc99b6e61bd9a5605b96ecca58f486b29f767

SHA512
4edd93eb4cf3d59781e3076561ab34a690c0942cfb28e6b69664e08f10e2f79cca812e021859672ce16f0b49aba5f63e211d1b91a933ec188c2d01a1b1d47e8f

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
324KB

MD5
c82a8c4ca453bd46acf0ccd4a9616e0d

SHA1
af7483d8204f49ab72a472c01e9e6951d8fea754

SHA256
49afa44f7aed4e6c41d57d5a9f94187c07594e2bed046f349318996b2f16764d

SHA512
147b494e543f5fb367d69c0b97283e0065063fb38e866491301f1161a09cd831801ee2465e9738f047e7bb3ab3ed95076d9f2a828697a32dbf075ed94e445716

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
324KB

MD5
817e3dc00211b79870770496a0ed1111

SHA1
0072d98714dc56a184df3796bb1e7b4b7f6df422

SHA256
55a72d88fe77b6fc019bcd3830432febd4b9bf1161a435c162bee824e1f89d78

SHA512
783a87d5578e3e28f3ba48c30ab8701b7afe89e9f177ffc31d32b3224fbabdd38fef4a1baf8d68cf949b05c770f3e74e106aceafa528d6b6f8c29131dc5c2c33

Download Submit
C:\Windows\SysWOW64\Pbcncibp.exe

Filesize
324KB

MD5
48a1d17db782a76d915b2d23f30e9174

SHA1
12d65f4867e32ea0ee163a466b0c90700b3b0904

SHA256
1ea2d46e663d6cf30f3144c425135f13c8407f94167f7d6c915c133ff0f4a4ae

SHA512
4d1f69f2f7d3e01bd3bb238a095680b42fe982c41bbb73cca690aceea66ec94b2a3afa7adc6a49f0b2612e3f771185e994d701785ba98388b0587105450c8e61

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
324KB

MD5
0345080bddc24a4e9a0d1786293a3669

SHA1
9d08f11440e0e1092d9e18c93dae8eb30a10a623

SHA256
1760aefd7e9eaa28a3563c85cd6654f9cc0527185b256888847c6b4409199284

SHA512
489768cead6f8b8144cb0468de64c3791d833270685738df0f95340c830780f3b5e142c38bbb31cc6bfd96bb269f4e60cc46d03e303dcb840343b28e17ce941b

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
324KB

MD5
0d5120228be8b24b472cdacd7cf8e390

SHA1
619cdbc7a00322e9f685a80bd1500e75e3daf380

SHA256
41eacb568331e1233deddfbbc60d60fa0fca432a26489cab6f1983636aee8481

SHA512
a2dfdd2fb118d7d729f55441b72939ac9e989c6dac85ef23151929ba6629f7e8f78b9bfff449eeefe57ffbed2c756e38b9cafa18f8666f501da032a035156f50

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
324KB

MD5
d51265c187cee35603209ece46d9d97b

SHA1
317622fae00548c968b94d85e8753ba6891ca5cb

SHA256
5a85b52e1c7cc79fbd0d98ca5c31a2335509bdaa96e99bbe95aa7e335b366845

SHA512
8ab087be2d94cdecf6f8ed1631eb04b3b242ade51f7a4e5f1aca00b663c2c60144ea5ecf4b46f0b33750d13da1e4d4288f690e78ef385daee5b92cbfd25effed

Download Submit
memory/244-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3532-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads