d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 05:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
Size

67KB
MD5

c9af13535849c769d268d586b2d7bf22
SHA1

e3611e70fd07be1871424d4c877f0a3debcd6105
SHA256

d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49
SHA512

414097fac6ea1591cfd2c6b928695efe84b05024fc11ea40b355bd531486f7187ad38a9b4b7fda4d6d1fe27f2ad7ba0bc79066d7121defd380c65ba2b4f89669
SSDEEP

1536:Gf36ZV5xtiSjhnpOrFTTTGsJifTduD4oTxw:86ZCS9npOrFTTTGsJibdMTxw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe

Executes dropped EXE 64 IoCs

pid	Process
4084	Ognpebpj.exe
532	Ojllan32.exe
4392	Oqfdnhfk.exe
4624	Ogpmjb32.exe
728	Ofcmfodb.exe
4768	Oqhacgdh.exe
1372	Ocgmpccl.exe
672	Ojaelm32.exe
3708	Pmoahijl.exe
1272	Pcijeb32.exe
2192	Pjcbbmif.exe
3872	Pclgkb32.exe
2228	Pjeoglgc.exe
2316	Pqpgdfnp.exe
1188	Pgioqq32.exe
2404	Pncgmkmj.exe
2200	Pgllfp32.exe
4412	Pnfdcjkg.exe
3704	Pfaigm32.exe
4780	Qmkadgpo.exe
2380	Qdbiedpa.exe
3428	Qqijje32.exe
2720	Ajanck32.exe
3580	Ampkof32.exe
3836	Afhohlbj.exe
1316	Anogiicl.exe
4388	Agglboim.exe
4116	Amddjegd.exe
2272	Acnlgp32.exe
4288	Andqdh32.exe
4132	Acqimo32.exe
1728	Anfmjhmd.exe
2664	Aepefb32.exe
4280	Bfabnjjp.exe
1020	Bnhjohkb.exe
2924	Bganhm32.exe
1792	Bjokdipf.exe
4144	Baicac32.exe
3660	Bffkij32.exe
2736	Bnmcjg32.exe
1736	Balpgb32.exe
4056	Bcjlcn32.exe
1204	Bnpppgdj.exe
1956	Banllbdn.exe
4720	Bjfaeh32.exe
3024	Bmemac32.exe
3272	Bcoenmao.exe
880	Cjinkg32.exe
2384	Cdabcm32.exe
4472	Chokikeb.exe
3716	Cmlcbbcj.exe
3892	Cfdhkhjj.exe
1800	Ceehho32.exe
3348	Calhnpgn.exe
4040	Dopigd32.exe
4396	Dobfld32.exe
1200	Ddonekbl.exe
2452	Deokon32.exe
2032	Dhmgki32.exe
4340	Dogogcpo.exe
3192	Daekdooc.exe
3696	Dddhpjof.exe
2072	Dknpmdfc.exe
4980	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2160	4980	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4084	2596	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe	81
PID 2596 wrote to memory of 4084	2596	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe	81
PID 2596 wrote to memory of 4084	2596	d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe	81
PID 4084 wrote to memory of 532	4084	Ognpebpj.exe	82
PID 4084 wrote to memory of 532	4084	Ognpebpj.exe	82
PID 4084 wrote to memory of 532	4084	Ognpebpj.exe	82
PID 532 wrote to memory of 4392	532	Ojllan32.exe	83
PID 532 wrote to memory of 4392	532	Ojllan32.exe	83
PID 532 wrote to memory of 4392	532	Ojllan32.exe	83
PID 4392 wrote to memory of 4624	4392	Oqfdnhfk.exe	84
PID 4392 wrote to memory of 4624	4392	Oqfdnhfk.exe	84
PID 4392 wrote to memory of 4624	4392	Oqfdnhfk.exe	84
PID 4624 wrote to memory of 728	4624	Ogpmjb32.exe	85
PID 4624 wrote to memory of 728	4624	Ogpmjb32.exe	85
PID 4624 wrote to memory of 728	4624	Ogpmjb32.exe	85
PID 728 wrote to memory of 4768	728	Ofcmfodb.exe	87
PID 728 wrote to memory of 4768	728	Ofcmfodb.exe	87
PID 728 wrote to memory of 4768	728	Ofcmfodb.exe	87
PID 4768 wrote to memory of 1372	4768	Oqhacgdh.exe	88
PID 4768 wrote to memory of 1372	4768	Oqhacgdh.exe	88
PID 4768 wrote to memory of 1372	4768	Oqhacgdh.exe	88
PID 1372 wrote to memory of 672	1372	Ocgmpccl.exe	89
PID 1372 wrote to memory of 672	1372	Ocgmpccl.exe	89
PID 1372 wrote to memory of 672	1372	Ocgmpccl.exe	89
PID 672 wrote to memory of 3708	672	Ojaelm32.exe	90
PID 672 wrote to memory of 3708	672	Ojaelm32.exe	90
PID 672 wrote to memory of 3708	672	Ojaelm32.exe	90
PID 3708 wrote to memory of 1272	3708	Pmoahijl.exe	91
PID 3708 wrote to memory of 1272	3708	Pmoahijl.exe	91
PID 3708 wrote to memory of 1272	3708	Pmoahijl.exe	91
PID 1272 wrote to memory of 2192	1272	Pcijeb32.exe	93
PID 1272 wrote to memory of 2192	1272	Pcijeb32.exe	93
PID 1272 wrote to memory of 2192	1272	Pcijeb32.exe	93
PID 2192 wrote to memory of 3872	2192	Pjcbbmif.exe	94
PID 2192 wrote to memory of 3872	2192	Pjcbbmif.exe	94
PID 2192 wrote to memory of 3872	2192	Pjcbbmif.exe	94
PID 3872 wrote to memory of 2228	3872	Pclgkb32.exe	95
PID 3872 wrote to memory of 2228	3872	Pclgkb32.exe	95
PID 3872 wrote to memory of 2228	3872	Pclgkb32.exe	95
PID 2228 wrote to memory of 2316	2228	Pjeoglgc.exe	96
PID 2228 wrote to memory of 2316	2228	Pjeoglgc.exe	96
PID 2228 wrote to memory of 2316	2228	Pjeoglgc.exe	96
PID 2316 wrote to memory of 1188	2316	Pqpgdfnp.exe	97
PID 2316 wrote to memory of 1188	2316	Pqpgdfnp.exe	97
PID 2316 wrote to memory of 1188	2316	Pqpgdfnp.exe	97
PID 1188 wrote to memory of 2404	1188	Pgioqq32.exe	99
PID 1188 wrote to memory of 2404	1188	Pgioqq32.exe	99
PID 1188 wrote to memory of 2404	1188	Pgioqq32.exe	99
PID 2404 wrote to memory of 2200	2404	Pncgmkmj.exe	100
PID 2404 wrote to memory of 2200	2404	Pncgmkmj.exe	100
PID 2404 wrote to memory of 2200	2404	Pncgmkmj.exe	100
PID 2200 wrote to memory of 4412	2200	Pgllfp32.exe	101
PID 2200 wrote to memory of 4412	2200	Pgllfp32.exe	101
PID 2200 wrote to memory of 4412	2200	Pgllfp32.exe	101
PID 4412 wrote to memory of 3704	4412	Pnfdcjkg.exe	102
PID 4412 wrote to memory of 3704	4412	Pnfdcjkg.exe	102
PID 4412 wrote to memory of 3704	4412	Pnfdcjkg.exe	102
PID 3704 wrote to memory of 4780	3704	Pfaigm32.exe	103
PID 3704 wrote to memory of 4780	3704	Pfaigm32.exe	103
PID 3704 wrote to memory of 4780	3704	Pfaigm32.exe	103
PID 4780 wrote to memory of 2380	4780	Qmkadgpo.exe	104
PID 4780 wrote to memory of 2380	4780	Qmkadgpo.exe	104
PID 4780 wrote to memory of 2380	4780	Qmkadgpo.exe	104
PID 2380 wrote to memory of 3428	2380	Qdbiedpa.exe	105

C:\Users\Admin\AppData\Local\Temp\d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe
"C:\Users\Admin\AppData\Local\Temp\d5e6f4feeacefe6c9ad3a61a2b062fef9c9a5eab96fc762467d3dac419724c49.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\Ognpebpj.exe
  C:\Windows\system32\Ognpebpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\Ojllan32.exe
    C:\Windows\system32\Ojllan32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\Oqfdnhfk.exe
      C:\Windows\system32\Oqfdnhfk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        33⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 404
        66⤵
        Program crash
        
        PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4980 -ip 4980
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
67KB

MD5
14cd7de7f3c0c69acc4cf0cf2aa1006e

SHA1
6ec0e9e5c582980abd1bbe5eeb5895eb7a6b10fd

SHA256
40a0b44fe55a8aa5d803c1461000ee81dd4be533732de4e9150d160835686370

SHA512
25a796a5628f9803a4add6ad0fafd00c5472a186b065e66e1f1407c858b433651db50a86938414434d656bd129f29a6fde6221c3764da618419fe984e1d98d33

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
67KB

MD5
fd20732dbddaed35a4811965e6ca1551

SHA1
c42c07afd5341dd69986e73a92e392e84f07ece5

SHA256
6aca70d31a9a80c3958c4f8bb262670b8576ea5610310fa415a3ea7d64f893da

SHA512
4a80acd5e12ea51eb150eb6025b61ff443496ae627c8d0c4cd60096e4b738d21d4aba63169ee748c4e1750d7508ea91834fe805b294aea684397be4f4b960b25

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
67KB

MD5
40761103e1bea7c73d9804ab6f854a8f

SHA1
79f277a39662785ac1bc32181c78d3314e9284a3

SHA256
f66ea7f75bedc1ebd323d9249e71fe695a9705ac306b0f3acdbce74ee3b8e164

SHA512
b497387e758099ad1706275316da5a96c527344869efa31f41f5e8984e9ff7ad62b901a3d1e55a1f5c3c1c0b2aa149d11970f880267f01e1f5f484c54ab4f322

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
67KB

MD5
2880facacff848402053e0372f374b37

SHA1
31bb6162aab8c1615029aed2c96baa29530d5ddd

SHA256
0b7f64f781542bdf95a71c3fcf77a092f3290e03167c06d490230ade1136159e

SHA512
40a1625e276a1966f398312c9d2b41956cb3a36807fc5dd918d94e8041bad5a9b81bb91c79d093bb8799ded7011db99110dec918f5e6b23d1d769f7f6c95ad85

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
67KB

MD5
a7d1698237c9200194c5db0416293e2b

SHA1
286111027155d77295e8959fbcb5cc0b5b9bfd08

SHA256
f962697a113f196c7f0f05c5350fdbddbbb2554013b43da1745fa655c0b385da

SHA512
ac48a9cc2b1563482897bb4089205abcc41ac3b8c7d060e734811b6e389c961ef2c561444224bbba3d0ad463582faf34ff8857c452aa5ba98ffa93082cd16b1c

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
67KB

MD5
7bb2fd2bdac76478533df7a15459105e

SHA1
2f83978cbd652bb3fd594cacbff99d2ed238554a

SHA256
5eba281afa415a97855f9fa3576a7971207cbc5ea9d6b4f0c488d29367112cde

SHA512
7afc670404ce8cdb348cd9531030ebc1efa8d7564e40d22f0a3fde96225c341bdb4694c24f4667d4d9ac8e101c6e6df6600a3aaa63cb2b732add87414be8164c

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
67KB

MD5
d11f425a11d5bc69233029d9a9d4699d

SHA1
97c3828497095cde7bc3969fd1338fdb6c9543a3

SHA256
0bc29b94a05318d446b4e23a169f915ad276fdc2750cd719b89a00268c20d694

SHA512
41d48a6ca940cd9b5c66074b05a0071beca27ffaf8a554f504513ada44716e628ca7dd447f4bc50503cf055c322782aec6992eed5c7ab332a547bddceb1edd7b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
67KB

MD5
3207462a2d4b7c51339fc49529a1c086

SHA1
22d0898a59e17e7fe627a8d09c90ff622add305d

SHA256
14947b05676342ac70111e9f5b819512294aeeace6e1f7e6e1aa47e282b2c20e

SHA512
719c239eca6712a83faa563ecd790cf89723850ff3ecdfcd0429e4cd82601f38aca2f680afce0a8fdf243bfddf864f7725ab6ce62959b193d6162cf81dba4d34

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
67KB

MD5
601420338b8a3b3fb6a73e9ee82fddaf

SHA1
96ce02208eb7b14c3167e8b7abaaca0419d4e48b

SHA256
4a56ac5282134d31ee02c18e74bf064acb00844d6ddb7969069fdb0596cd38a1

SHA512
02adf753f3c2b8e32c52d25f78ba9c5482f326de6ee5873f1c10405f2a999f63d1fba6bbc4569294c8414196cd6cbc812df30ffc12cc6f03e6197d0b720a1b40

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
67KB

MD5
a59a33c5befa11eea3077c70c2cee3e3

SHA1
dfde1e336e8eb72606dc3f08bcdf988ef1635cf6

SHA256
b614f12a0e58b1fe23653d58389c150d4b6891863fb1f6402755fc6f26c8ead4

SHA512
63c3f90655a311500da655bd5d7a16106213862f481e1591f2ff675a856f18585759b3885f8fb6ce53fc0692ef4622083a7ff0c188d625f9be165f322d85975d

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
67KB

MD5
5acbb2853fc3e882c871038984c638d1

SHA1
6f748d8c77ff00c7e71de5a7adc0d12e46930603

SHA256
c56c28a87b0d12ef15045098f627ed61ed51966c5881ea6bb567b788e68eccf6

SHA512
6dd65ef90f2cce8c0931bc0ced6385e5d418ec3e353f98570533e4c4faf00e8a392bb2a11b60bfac09f8c38e3f2e735db29ee26731c0e5895b33dc79020d1359

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
67KB

MD5
642102a08fcd53c51c363a10adf893a7

SHA1
3ac5758c82af96236c84687431a92cdcda06f3f8

SHA256
5d9e0598ef4df68cab396d48d6d59f3222299f9c9153a808aa6eac1c32e60a82

SHA512
907cce20d7ffe937f33b466d3701acb318dba616871005bade8339725e1dcb10b25beec7de03e6dc705a41d74bc25f35ab94ae2415bb1a9042e6ac39ded8f31d

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
67KB

MD5
575851dd83e0b718c1b1f1339dd70f81

SHA1
124248bd5dc7ccfc20e6f1d1ad29ba2cee0a1608

SHA256
f837c67e200eb08e5439008b0f7c180e6f1fa3393251d9ce4ee662c7db4bb03b

SHA512
84fbdc3e6c731e4124ee8e8dd21984f2ec95010198ff86b9564427d7ed8c15c7f102e1c7546cbf4bfa80bdfc940d6bae3cf94d7a4323c9e965d0310626fab456

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
67KB

MD5
a587a0b534413dbde897cf85e9d37aed

SHA1
31f1bddd3f8a3b59a7c64d05cf7c6ad4dbb3cc88

SHA256
b55a6d100c9ceff4b4867d7a5676f61fb311259ae8f746e45b580318acdcd548

SHA512
fcf2d21e1887d06432ab9cd7c7fe20cc625244ae11ae604a9e22d0a76fcf86f447e25deb9d0db995866d4f595f676593870c03d245056baa5bb6e67c7a31ca94

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
67KB

MD5
34e13dbfbf0b8feb8a9b2f55a13b7d70

SHA1
ace8f3e70a877c2731e3a94a0b0c09a01f0ea068

SHA256
866ba07f987bbd78e4ab4aa033ffe4ffbb725564d3e7109b7a8d62d0c4efaf7a

SHA512
a2977fe7eec88c08923bd58bd70879bc9cf4d0b5255722e5c0679ac14c1d9106e7bd12112f0bbde3830c634f3df7b67d2d8597dff03aaec575b4210707d439a8

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
67KB

MD5
30252fd808e57ffa696df961171a7dde

SHA1
39e744a26b61758565699168472b4b8128ede767

SHA256
1cbbc49f0f3f6a05660f20bb3095ef99df66b1dea1dc888717e8431db1717879

SHA512
0aaece17d56556e3a32c778bf3d459c9f6845dc38a30f3df1d6f66aff644cecf134446085ae20de43526897e4cb1146a0d4c052cdbd056514fa4af6408316f72

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
67KB

MD5
f9ed360e319180eb1280c3cf0592168e

SHA1
3f877a60ae827e8717511996de8e3870150bf0c5

SHA256
95a20066ae4466925a0677081415b0571892f2104dae1be356367d71bd8d9070

SHA512
09a09b4c95ee001c76cf7128adb4d74f242b9377ce5c7cea791b4507dbb8809e578992098f78273a76f259c0d33b3c3384ab5abc8aa36ee8bee9b3d1f7b9ffc2

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
67KB

MD5
44ce9013e280a4e30a2ff1f379457147

SHA1
fd3bf34acee2937bbb540f62c13e4e80ae6a1c86

SHA256
e22effee7ad6cb799dfafbcd443f948d0c05d3d3558743aced4496f3c3b21e5e

SHA512
2cb3358c8276158e794b86378262551b7b979ab47ac08da82ec4cac9764ad7deb91164c8a59c67747e9ef32db4004aa6b0dc9188e6571f5dab4e3ca12ddffcae

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
67KB

MD5
4bb0d846472635eaea6bb65fa628d061

SHA1
fda09780023df0acc62d62e39698fe3d8a8e1d16

SHA256
cc49cd6e0740d3218c3e6313305fd952878a8f7759f7c12609295f0d58ede5a3

SHA512
c426014cebbd32b927f5cad4ac55b1a9a464dc243e18ae55ac953a79865038f37362cfd08cbed28be1d5720f6a2bbec4b0ff82694bdebefebe74913f68bd3560

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
67KB

MD5
19d0dd4b7d524c14b47743c424dbca6d

SHA1
b007da85218243f437f948ebcde044c0d2ada54a

SHA256
ede076755edb1b84d919b73b4d5e45b4c3384270b8d54a6dcfeeda0fc8ed95ab

SHA512
fe6e81f0cc4d849134ef692bb975d0579a06327110e72893687c3cbf20f69525968ddc496fd0d3b9a97484e8513e855709b5a91e6dc1458d92767d95b50303e1

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
67KB

MD5
0ae6207009a60a864f8871b3bb32c4ed

SHA1
64c6050410ccf72cba79020098ca168e6ccc52f9

SHA256
97d8a5391785e3ce1409d298859df6f671dd4d0def390145d9342dd2dd9c6019

SHA512
04357801b4d6212334ae3368e1247cd0763248e0ba6418506b4f8142a0f7c169586a10ea93490afd038d5573188f00dd761985f44a959e4a6565250a4a12a2e5

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
67KB

MD5
cffce11421bf33ee1918b9d392ac0c82

SHA1
e5272f350298cb0dc8e3fbe4dc8c68bda766dee1

SHA256
79b83d2651295af671a414e0b4d6b9106eadae7e23c0265bbddc3f0c1ded05bd

SHA512
0af8bb66f48faea191d618eacfcad21c873fa377b60065ea3d7239f5ba019093ab021a2c877006231c2a879404ce79ee5807e00aa8dd82e69430114af1adf095

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
67KB

MD5
56caac9874087bf9f8138328fc792d97

SHA1
539a352c3b11f107c27e61027450f8238bbabfca

SHA256
2f5ff1b71e9551570112fed27fda055dd4f72ea9c962765dcc55884da25c19be

SHA512
51630cf7c8d8db54ce217aa117208cc0b0490771d0a71cce84ab2383cdb738e94b1d2d13fef7eae9048e4f909b48c1a1b6000747e0480eea0225afe9994f1add

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
67KB

MD5
4ba02f17f1fdba5b4dd380ca9a0f8055

SHA1
2b6557a5b0af478a1627d19145733a5907009bfd

SHA256
bd293b71ed205016d45ec9b244cb4c83ad2865c1cf88d43e851b900705f50140

SHA512
79accc839fa6a89e742a02e9896c1c011aeb7630cb8b4ff5ed4699687e519a8e762e88ff07190cec3ba1621462e15f91c3b896bfdad7d33dde4e1d006442915e

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
67KB

MD5
1b62d4ddc99e5ef595f19791b1082aee

SHA1
51b1e48f379380e71309f50bda5f06a50b3f6404

SHA256
fbb28a4849ed0fbcad7037d2530f244735d83a24a5194a90e07b1308812bed71

SHA512
eb3176f71e618f3e1cb2a8a8f5e61682b2d418e5acce118d8fd5edc2e22aafa68adeb049040f9ec09c47be9cf467d90ccb1d995e8c0843ece5b1fa67ca2f3598

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
67KB

MD5
07fdbe0b6efa907470707af48cfc0ea2

SHA1
5b93db1bb6ad3c8e759ddb0d1f89f8c105428aff

SHA256
7595e1f3d9967717655cb5c3f66678fab39351c0fec4337c15430810c39bd963

SHA512
e2eda338e22d22883f2f53ea6e7e714bf86f6daf65b650cfe29163db18d97ff63290cdab16161a78caceb228c56b9e73c9444f1d181f6290b18048115f94ef54

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
67KB

MD5
24df6ff64c8a28eaf93962c920018e62

SHA1
8499b792e6aca7dc706ad22209b0d7907a361329

SHA256
eb3c9cba1077c426d90e6c3979ed5cfd9a4725504f951de3bc65e7235aa74213

SHA512
550cc60fff154ffd5b971573eac37d66c1039b44316ab783d4778a1f4313cef7ea6015720d2d9c2ee038202d22689a3553e808328e96f0335b83e118dfbf5120

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
67KB

MD5
97b0cd1fb8da418ffbe6c6720592fcff

SHA1
5d704249854a455ea6d728cc59271792dd727ae2

SHA256
85dea4bf2170dbe126de5c887e258a4ffb8ee2e79c76826a45d089f9178a86fc

SHA512
f513f032cd842c0f7ce62f9f02f7b2ad6a3e97e1cce1499707c9581c5d5384242c1c9e6aa9baac4d418cf0197768e91a908297436dd386b131e73564bb5a3d70

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
67KB

MD5
d84002169bab07576e294c2f2312fb32

SHA1
2658e751a7bb1e593caf034af8054335b5e6d498

SHA256
5b74bf4da722d98d9d9f7049db9192e2898b44b55ba90768e2b668a1f980d001

SHA512
f1f7cd4bc848393febfaa0a6bea15801baa453d8bccd3e32e976f3a48a82bb74848f01f0494cf0be0be401ae7eebeecc8306a98ae1a0d9f0940be4da1c043251

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
67KB

MD5
6e38efedad07d0a3d1db462be48b1aac

SHA1
3a5d7c9970b895ff5b7bfa29a701990adf46cad0

SHA256
c915a32d8a2e3dfaab72b7c8ffd89ca85709efe1e60baf7e227653c4f4cbf3a6

SHA512
aa731849fc2962ddeca7cfcf5e26e5f7838f14afbb613ebae09bd931b38aec7bd1855bdf9ec6e56d22c974fe86b3fe906c750caec9002ac8b79e35da5978f688

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
67KB

MD5
92d5804b00e58e913a2641945e2dc746

SHA1
5de4ff557107738f9df2440cd3698f197d384b81

SHA256
8c8248c4d075045df0fabd9ec161992158eee67baaa1a571ed23ca671137aa9e

SHA512
ffacbc6864e43e0f6f69e3cf1fc86d19b4a4426b8ce84afba4c09caa04f2c99c187e193f439dd7961934cdff4cf4afc2d4c7bff3c9f56b44cda86cd3e831e374

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
67KB

MD5
b264f17e6d0cb4849237f1455c92fa47

SHA1
b867dd0cc4a3faa8a2c14c3492df1f39911fe2a4

SHA256
91cb7d5bdc43553ac00f13342ad9b1417088db3c3b8aebedc80b4d572e77ff98

SHA512
7d6e63aa0ee7aacf0a0a3e50d8d7aff080aa8d6b13b683c9f6c5520b2ebd5d06717acfa8f616be6d2e590511f0128e910e43ad119b5cfccdd48e7639fd0c97a7

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
67KB

MD5
9e6f9fcd0c0b23dc745fbb1a07c5aaaf

SHA1
d3a5ac94e470f4ecad41571cfbaf78feb41dbcdf

SHA256
eeb247374ae3eb41a4e20491507e1f04300b0e63056937d150e071c6a951b5b0

SHA512
fd0b63c2c275baf2858e37e69f0f726a76c9d7878e1ab8ac4b2030960f2da640f949afb6977e7630f00bed5f8e66fa05d15ca601e74f6bf1cebc42234243291a

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
67KB

MD5
0c41e11e4c546e134fb8d3bab9da4bc7

SHA1
eb43fb2d33d58bfc6f48a351734968085a7ade8c

SHA256
9bce9638676665313ef43e0c4366322a2bc2a7288a5912b70de65f5ee7df9d55

SHA512
bc906a6ebfa2ea7d575fe33857081fea58ee16267601f3bd70ca79564bb8ea231133c7e8658e781afe587dcf22a624fb234aee53c53245cc30b8d6c8824518e1

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
67KB

MD5
efe01fb5481e451179d00ce222baa401

SHA1
f5033d9e06c0fc1f4843ae385813e6da89f40848

SHA256
7fa6800528018cf671d9c1b93db5715c769d2dea49fb509befb4a60f192b563a

SHA512
e780bd47c63640ff5804c922b577f7df95407a20a76836fe96a425b593b7e6a674c99d6cf552b3c029e7f7f5730cdf7980d7a469c08b42a80ee8cd430d777ce0

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
67KB

MD5
176ed79eca0baf92d7a02ccd59c14bce

SHA1
b2a74f09993a242ab8e2e82107f7b2919bd63bac

SHA256
fd5ae04fee7f2b660464b07d3e391e28ad3a0d4c3ea86408cc55ca8be7c4ef44

SHA512
7d062086f5f2048c05d870398764351a01d7b060c6a5f8bc1a46b2d910b29735482b0ae2bbf47da91f3a5827c400880ad434a899dcb62e89fad11500a3fbd1c0

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
67KB

MD5
030c4c226750bdbea1b5f796a2299e6c

SHA1
9201a89067cae04f76611b9e7c98aa114029078a

SHA256
ef32182d41db500c7b3bc93ffd9065f02d408738007547558281eec7e46973d8

SHA512
72cfa02904a204c46a73e00f8b39409ce8b556dd93a91083bb51c41f258dcbcf91fb0912166a1f3b0574b4ee7bbf25e46469eae27f8427236a81bc77dc59c047

Download Submit
memory/532-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/532-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/672-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/672-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/728-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/728-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/880-389-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-368-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1188-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-423-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1204-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1272-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1272-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1316-309-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1316-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1372-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1372-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-347-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1736-409-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1736-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1792-381-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1792-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1800-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1956-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2228-112-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2272-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2272-326-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2316-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2316-204-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2380-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2380-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2384-396-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2404-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2404-222-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2596-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2596-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2664-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2664-354-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2736-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2736-402-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2924-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3024-375-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3272-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3428-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3428-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3660-395-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3660-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3704-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3704-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3708-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3708-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3716-410-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3836-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3836-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3872-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3872-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3892-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4056-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4056-416-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4084-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4084-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4116-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4116-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4144-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4144-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4280-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4280-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4288-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4288-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4388-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4388-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4392-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4392-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4412-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4412-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-403-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4624-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4624-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4720-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4768-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4768-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4780-171-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4780-258-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads