4990eb47eaab6fbeb0a233716397e6d2e0fca662e08641f0dba70adf6657151c

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6692a0c8f885e3713d8959cc27f2021_JC.exe
Size

349KB
MD5

d6692a0c8f885e3713d8959cc27f2021
SHA1

e21559afff448f1dc2fae558d752f3aa6b7addcd
SHA256

4990eb47eaab6fbeb0a233716397e6d2e0fca662e08641f0dba70adf6657151c
SHA512

862e55b21afee4755744a583cc8f8079ee31d51a5b55cb414d2783f21d330db84816252bb8cd1364128b9dceda36c965abbc7f59fe08838e74cc0d375faf253c
SSDEEP

6144:e8pXxXnuWflJHgRs+HsoTh3O64JVw/ekxgu8VZtK036E37JPwS0eeaB7DxB6HkMg:eAnu+EQ0h3/4JVw/eK98VZtK03937JPZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe

Executes dropped EXE 26 IoCs

pid	Process
2696	Aeiofcji.exe
3748	Anadoi32.exe
4940	Aeklkchg.exe
3584	Ajhddjfn.exe
4592	Aglemn32.exe
3916	Accfbokl.exe
4612	Bjmnoi32.exe
1708	Bebblb32.exe
4916	Bjokdipf.exe
3404	Bnmcjg32.exe
4640	Beglgani.exe
4152	Bnpppgdj.exe
1608	Beihma32.exe
3212	Belebq32.exe
1724	Cfmajipb.exe
3920	Chmndlge.exe
3020	Cjmgfgdf.exe
380	Ceckcp32.exe
3384	Ceehho32.exe
2276	Cmqmma32.exe
1188	Danecp32.exe
3708	Djgjlelk.exe
3304	Dfnjafap.exe
384	Dmgbnq32.exe
4536	Dmjocp32.exe
3764	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	d6692a0c8f885e3713d8959cc27f2021_JC.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	d6692a0c8f885e3713d8959cc27f2021_JC.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	d6692a0c8f885e3713d8959cc27f2021_JC.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3912	3764	WerFault.exe	111

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d6692a0c8f885e3713d8959cc27f2021_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2696	4852	d6692a0c8f885e3713d8959cc27f2021_JC.exe	85
PID 4852 wrote to memory of 2696	4852	d6692a0c8f885e3713d8959cc27f2021_JC.exe	85
PID 4852 wrote to memory of 2696	4852	d6692a0c8f885e3713d8959cc27f2021_JC.exe	85
PID 2696 wrote to memory of 3748	2696	Aeiofcji.exe	86
PID 2696 wrote to memory of 3748	2696	Aeiofcji.exe	86
PID 2696 wrote to memory of 3748	2696	Aeiofcji.exe	86
PID 3748 wrote to memory of 4940	3748	Anadoi32.exe	87
PID 3748 wrote to memory of 4940	3748	Anadoi32.exe	87
PID 3748 wrote to memory of 4940	3748	Anadoi32.exe	87
PID 4940 wrote to memory of 3584	4940	Aeklkchg.exe	88
PID 4940 wrote to memory of 3584	4940	Aeklkchg.exe	88
PID 4940 wrote to memory of 3584	4940	Aeklkchg.exe	88
PID 3584 wrote to memory of 4592	3584	Ajhddjfn.exe	89
PID 3584 wrote to memory of 4592	3584	Ajhddjfn.exe	89
PID 3584 wrote to memory of 4592	3584	Ajhddjfn.exe	89
PID 4592 wrote to memory of 3916	4592	Aglemn32.exe	90
PID 4592 wrote to memory of 3916	4592	Aglemn32.exe	90
PID 4592 wrote to memory of 3916	4592	Aglemn32.exe	90
PID 3916 wrote to memory of 4612	3916	Accfbokl.exe	91
PID 3916 wrote to memory of 4612	3916	Accfbokl.exe	91
PID 3916 wrote to memory of 4612	3916	Accfbokl.exe	91
PID 4612 wrote to memory of 1708	4612	Bjmnoi32.exe	92
PID 4612 wrote to memory of 1708	4612	Bjmnoi32.exe	92
PID 4612 wrote to memory of 1708	4612	Bjmnoi32.exe	92
PID 1708 wrote to memory of 4916	1708	Bebblb32.exe	93
PID 1708 wrote to memory of 4916	1708	Bebblb32.exe	93
PID 1708 wrote to memory of 4916	1708	Bebblb32.exe	93
PID 4916 wrote to memory of 3404	4916	Bjokdipf.exe	94
PID 4916 wrote to memory of 3404	4916	Bjokdipf.exe	94
PID 4916 wrote to memory of 3404	4916	Bjokdipf.exe	94
PID 3404 wrote to memory of 4640	3404	Bnmcjg32.exe	95
PID 3404 wrote to memory of 4640	3404	Bnmcjg32.exe	95
PID 3404 wrote to memory of 4640	3404	Bnmcjg32.exe	95
PID 4640 wrote to memory of 4152	4640	Beglgani.exe	96
PID 4640 wrote to memory of 4152	4640	Beglgani.exe	96
PID 4640 wrote to memory of 4152	4640	Beglgani.exe	96
PID 4152 wrote to memory of 1608	4152	Bnpppgdj.exe	97
PID 4152 wrote to memory of 1608	4152	Bnpppgdj.exe	97
PID 4152 wrote to memory of 1608	4152	Bnpppgdj.exe	97
PID 1608 wrote to memory of 3212	1608	Beihma32.exe	98
PID 1608 wrote to memory of 3212	1608	Beihma32.exe	98
PID 1608 wrote to memory of 3212	1608	Beihma32.exe	98
PID 3212 wrote to memory of 1724	3212	Belebq32.exe	99
PID 3212 wrote to memory of 1724	3212	Belebq32.exe	99
PID 3212 wrote to memory of 1724	3212	Belebq32.exe	99
PID 1724 wrote to memory of 3920	1724	Cfmajipb.exe	101
PID 1724 wrote to memory of 3920	1724	Cfmajipb.exe	101
PID 1724 wrote to memory of 3920	1724	Cfmajipb.exe	101
PID 3920 wrote to memory of 3020	3920	Chmndlge.exe	102
PID 3920 wrote to memory of 3020	3920	Chmndlge.exe	102
PID 3920 wrote to memory of 3020	3920	Chmndlge.exe	102
PID 3020 wrote to memory of 380	3020	Cjmgfgdf.exe	103
PID 3020 wrote to memory of 380	3020	Cjmgfgdf.exe	103
PID 3020 wrote to memory of 380	3020	Cjmgfgdf.exe	103
PID 380 wrote to memory of 3384	380	Ceckcp32.exe	104
PID 380 wrote to memory of 3384	380	Ceckcp32.exe	104
PID 380 wrote to memory of 3384	380	Ceckcp32.exe	104
PID 3384 wrote to memory of 2276	3384	Ceehho32.exe	105
PID 3384 wrote to memory of 2276	3384	Ceehho32.exe	105
PID 3384 wrote to memory of 2276	3384	Ceehho32.exe	105
PID 2276 wrote to memory of 1188	2276	Cmqmma32.exe	106
PID 2276 wrote to memory of 1188	2276	Cmqmma32.exe	106
PID 2276 wrote to memory of 1188	2276	Cmqmma32.exe	106
PID 1188 wrote to memory of 3708	1188	Danecp32.exe	107

C:\Users\Admin\AppData\Local\Temp\d6692a0c8f885e3713d8959cc27f2021_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d6692a0c8f885e3713d8959cc27f2021_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Anadoi32.exe
    C:\Windows\system32\Anadoi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\Aeklkchg.exe
      C:\Windows\system32\Aeklkchg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 396
        28⤵
        Program crash
        
        PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3764 -ip 3764
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
349KB

MD5
19aeade6181ca040d19536f9fce1ec3c

SHA1
53ad54a5f599cc3cc2ae8a8a1294e4a51eaa2446

SHA256
a4304e68e8bd95b6ee7d834418343afdf099c4c927f2a8e4810feedf79f76b23

SHA512
bc82fff459d4486c71904fc21e7f48bc54035081559236a3dae7b4b69127a8cfe777738580e4eecdf4b8ff4b4be3d06362578773d2952a3cba5876fa178f6d6a

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
349KB

MD5
19aeade6181ca040d19536f9fce1ec3c

SHA1
53ad54a5f599cc3cc2ae8a8a1294e4a51eaa2446

SHA256
a4304e68e8bd95b6ee7d834418343afdf099c4c927f2a8e4810feedf79f76b23

SHA512
bc82fff459d4486c71904fc21e7f48bc54035081559236a3dae7b4b69127a8cfe777738580e4eecdf4b8ff4b4be3d06362578773d2952a3cba5876fa178f6d6a

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
349KB

MD5
a45fd03aeb1aa423e22263e2fc7d20b7

SHA1
2c95d58d749ab225e24a7a1902b28e6cba9c9784

SHA256
2a69626c2645d7b844b5e87c2e48728adcf3c58a60c1dfd06eb9f2add8f7bc04

SHA512
7b6ae9907771a92264d4c984f4841ce327fa13cc890534a2a0dd9f81bfcc28924ad8c4fb53ed3a568f12f7a3898be0f42e575d71a9601badfed8450a88cfda17

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
349KB

MD5
a45fd03aeb1aa423e22263e2fc7d20b7

SHA1
2c95d58d749ab225e24a7a1902b28e6cba9c9784

SHA256
2a69626c2645d7b844b5e87c2e48728adcf3c58a60c1dfd06eb9f2add8f7bc04

SHA512
7b6ae9907771a92264d4c984f4841ce327fa13cc890534a2a0dd9f81bfcc28924ad8c4fb53ed3a568f12f7a3898be0f42e575d71a9601badfed8450a88cfda17

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
349KB

MD5
c537f272d14e296e10f3bae2421c9beb

SHA1
6879b3221f1c965f6c2625d06e85f03c65a6e5a9

SHA256
e56512e48449c284ad9953b60db42758ba7a2757a784911f9ebee0657fae37f5

SHA512
a406a8edd21278c5c9493b5f9bf5437a506f10d18a9329cfdab98c5d033c732b3fed86643ad81ec1c8ffbf4212cf80b46da774737a1486a13c6348ba058b640f

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
349KB

MD5
c537f272d14e296e10f3bae2421c9beb

SHA1
6879b3221f1c965f6c2625d06e85f03c65a6e5a9

SHA256
e56512e48449c284ad9953b60db42758ba7a2757a784911f9ebee0657fae37f5

SHA512
a406a8edd21278c5c9493b5f9bf5437a506f10d18a9329cfdab98c5d033c732b3fed86643ad81ec1c8ffbf4212cf80b46da774737a1486a13c6348ba058b640f

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
349KB

MD5
ea86cefeec8e7996296e5f3b305d4c98

SHA1
45447523db372f650466969926d8441385288b86

SHA256
f0d1c30a5f57989f1736910baf0f66150e501e45fd95f302695120e1047f30a4

SHA512
1e838537fd11999d5d1d5ceb7e235b8e12fb7e2ff80fe0d46cee46bbd10c60413afef86542462aed164327f81cf5b393cf5fbff6745615d31b15805fc7716fe1

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
349KB

MD5
ea86cefeec8e7996296e5f3b305d4c98

SHA1
45447523db372f650466969926d8441385288b86

SHA256
f0d1c30a5f57989f1736910baf0f66150e501e45fd95f302695120e1047f30a4

SHA512
1e838537fd11999d5d1d5ceb7e235b8e12fb7e2ff80fe0d46cee46bbd10c60413afef86542462aed164327f81cf5b393cf5fbff6745615d31b15805fc7716fe1

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
349KB

MD5
2ca114b98485b4f9618dfe777bcd209f

SHA1
8b04379c48b5b9c272ed2958045002548cd488c3

SHA256
030d54ddcf919c01246f6108209508f842b00f55f4d95bef35ab76c3815469b3

SHA512
139c30b8818dfe609b5154535985f15370047eb1517ac3813664c0e5bd93f634e750eee89882dc5456e34182305c125fdb4b7fc0077ba0db8d04398e625dafb6

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
349KB

MD5
2ca114b98485b4f9618dfe777bcd209f

SHA1
8b04379c48b5b9c272ed2958045002548cd488c3

SHA256
030d54ddcf919c01246f6108209508f842b00f55f4d95bef35ab76c3815469b3

SHA512
139c30b8818dfe609b5154535985f15370047eb1517ac3813664c0e5bd93f634e750eee89882dc5456e34182305c125fdb4b7fc0077ba0db8d04398e625dafb6

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
349KB

MD5
4234c223ca6acefcd5aed2a5ee195fe1

SHA1
35e92d455afea01c6055a8d2eff5c405ebef4e98

SHA256
cabe3c5335849e0f02c6c16add45112e93e3c1ca18cf742b48ec70b78448dc26

SHA512
f45b187c2ba328bc7f69bb1245c64c7a90d8e8d1eb4e1857a1e3490b7e33f7b8ce4d787e3e529f0bf514ed3c0eb0e342d2a85e9d20d02201417fded33576bf3c

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
349KB

MD5
4234c223ca6acefcd5aed2a5ee195fe1

SHA1
35e92d455afea01c6055a8d2eff5c405ebef4e98

SHA256
cabe3c5335849e0f02c6c16add45112e93e3c1ca18cf742b48ec70b78448dc26

SHA512
f45b187c2ba328bc7f69bb1245c64c7a90d8e8d1eb4e1857a1e3490b7e33f7b8ce4d787e3e529f0bf514ed3c0eb0e342d2a85e9d20d02201417fded33576bf3c

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
349KB

MD5
0ebaf5b9c43bb4ac5a99dc05fc6d7e74

SHA1
d007fe6412829ee13b21a247f369ee8dcf338ee3

SHA256
3c9e9d5cadfb2fe5d4674fa94f37a304a86af946598b89704314e330c7725eb9

SHA512
116da53daee8426b45baf8044a68aef6f81edbca3ef3717e76cd927506486fbfe263b9699d7cc3e9852c498b8eae7222e3a696ae98cdb0b12bccce385f98d44f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
349KB

MD5
0ebaf5b9c43bb4ac5a99dc05fc6d7e74

SHA1
d007fe6412829ee13b21a247f369ee8dcf338ee3

SHA256
3c9e9d5cadfb2fe5d4674fa94f37a304a86af946598b89704314e330c7725eb9

SHA512
116da53daee8426b45baf8044a68aef6f81edbca3ef3717e76cd927506486fbfe263b9699d7cc3e9852c498b8eae7222e3a696ae98cdb0b12bccce385f98d44f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
349KB

MD5
a46a6db42b7c75cc6a013976dba6633e

SHA1
e8abdd2d5013fd729866411acd991ce25b63a8c0

SHA256
cc871951f67f2701c199dda243f8a6938db7c1ca60d1a134eda25515fdb1be98

SHA512
449302cacd4b080ca43c3cfc0926ed73c7f0f8ccf29c9e3748b6bf65361218db9bf5e38e82fded8d0eddd26bdadf72090f41857ee8a3238e41c992bb3d1ec27c

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
349KB

MD5
a46a6db42b7c75cc6a013976dba6633e

SHA1
e8abdd2d5013fd729866411acd991ce25b63a8c0

SHA256
cc871951f67f2701c199dda243f8a6938db7c1ca60d1a134eda25515fdb1be98

SHA512
449302cacd4b080ca43c3cfc0926ed73c7f0f8ccf29c9e3748b6bf65361218db9bf5e38e82fded8d0eddd26bdadf72090f41857ee8a3238e41c992bb3d1ec27c

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
349KB

MD5
2df575f1ac6800aaa29ec690b1dbbdb7

SHA1
07de83deaf1ce40d1ee5ba327958ca2b41611fe0

SHA256
6960c8d58a2d7f13a8f4be88674d1a7d60fb7b8ecfc3bbcf9c399449c0c25553

SHA512
05227550220466a561bcea7d364f145566c4305ba0c2f100ffcc30a6acf951a7c38867cfacaae8a89d5c5d52facc838a243d873e0eeb858aef34130252828204

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
349KB

MD5
2df575f1ac6800aaa29ec690b1dbbdb7

SHA1
07de83deaf1ce40d1ee5ba327958ca2b41611fe0

SHA256
6960c8d58a2d7f13a8f4be88674d1a7d60fb7b8ecfc3bbcf9c399449c0c25553

SHA512
05227550220466a561bcea7d364f145566c4305ba0c2f100ffcc30a6acf951a7c38867cfacaae8a89d5c5d52facc838a243d873e0eeb858aef34130252828204

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
349KB

MD5
5c7c8e2a1aa16c3fb307e622acba77db

SHA1
3fb994d3fe381b5b93f701ba6d137c5a9d3c0b2c

SHA256
e7f7bb3ab32e3e9ab81fb3af961040709c7d037624c493e4c994a32c2ee29e06

SHA512
0a4473ac76b9c1e0a2125ae594a0f27988290561bdb91e8cf74eec941b3821fa3e5ee934c5acc0477e2d930dbe00ba0a6161da90121b213f0ef2252639f17ba2

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
349KB

MD5
5c7c8e2a1aa16c3fb307e622acba77db

SHA1
3fb994d3fe381b5b93f701ba6d137c5a9d3c0b2c

SHA256
e7f7bb3ab32e3e9ab81fb3af961040709c7d037624c493e4c994a32c2ee29e06

SHA512
0a4473ac76b9c1e0a2125ae594a0f27988290561bdb91e8cf74eec941b3821fa3e5ee934c5acc0477e2d930dbe00ba0a6161da90121b213f0ef2252639f17ba2

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
349KB

MD5
d6a652745724b31f836794b6270163b3

SHA1
f129f91de46838e97f5536ddd170507f02108093

SHA256
b2584afafe741cf1edc63f3097dc70f7ac9def73a24bc9298f8b8bd6c8c8a82a

SHA512
17e5c2d758909b946311f1bdc15435ae4dc5fd83de1f14516c31695dc18e6a10bcf7373afdeeae1fac19955a9b8d5281dd1cb1f40773e7f162b06b41255c45dd

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
349KB

MD5
d6a652745724b31f836794b6270163b3

SHA1
f129f91de46838e97f5536ddd170507f02108093

SHA256
b2584afafe741cf1edc63f3097dc70f7ac9def73a24bc9298f8b8bd6c8c8a82a

SHA512
17e5c2d758909b946311f1bdc15435ae4dc5fd83de1f14516c31695dc18e6a10bcf7373afdeeae1fac19955a9b8d5281dd1cb1f40773e7f162b06b41255c45dd

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
349KB

MD5
97c76ad55887833acea171ee77b686cb

SHA1
530a9f0740c92d2a39f4b4a4062d614d9589d4df

SHA256
53b6cfe10b56d149445b0029e26bfa77d38b3a451912516321efd1b623051194

SHA512
c9c2271fa761e0ec79b6406f25f07c1a2f738e3065379d96334b42462137190c68663790466693017bdbb004c1c366cad225a29e91248f8a00f3b4d059b8145c

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
349KB

MD5
97c76ad55887833acea171ee77b686cb

SHA1
530a9f0740c92d2a39f4b4a4062d614d9589d4df

SHA256
53b6cfe10b56d149445b0029e26bfa77d38b3a451912516321efd1b623051194

SHA512
c9c2271fa761e0ec79b6406f25f07c1a2f738e3065379d96334b42462137190c68663790466693017bdbb004c1c366cad225a29e91248f8a00f3b4d059b8145c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
349KB

MD5
3b52c5ae0c3844a6f7cdad5ccee189fe

SHA1
b8a31578c2ae11b932662f1e6efb9dc838c5a171

SHA256
d7ddc586d0c92f33a0981d91dd360fabacbaf3952ee4d14da68cb9b36d253ba7

SHA512
dad3ef16e9a3e18ad3ec67e86eaae4ed677e1ed2b3ca6b55213800c80ad4ebfffeb6df55a823d0953d62523fa26564ef9ee035f777457cc4620b71ffc9332a72

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
349KB

MD5
3b52c5ae0c3844a6f7cdad5ccee189fe

SHA1
b8a31578c2ae11b932662f1e6efb9dc838c5a171

SHA256
d7ddc586d0c92f33a0981d91dd360fabacbaf3952ee4d14da68cb9b36d253ba7

SHA512
dad3ef16e9a3e18ad3ec67e86eaae4ed677e1ed2b3ca6b55213800c80ad4ebfffeb6df55a823d0953d62523fa26564ef9ee035f777457cc4620b71ffc9332a72

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
349KB

MD5
c13f13ef30672ca70816999b6675eca2

SHA1
ef35fbce6a939bf58dee5fd751a47287e4c1f3db

SHA256
48525443dcbb3a0db0bb2cf2e44e41a83ac863ffeda5fe21387469cc6722b737

SHA512
6a5ecfefec2e775a02b435c2ad0591e41ce15c609034d1e34c30cc8563fbcadbe392ff33dc764ea30e02d9b9f0d6ac8e79ecfef734436fab63ee8b9f9f32b0d1

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
349KB

MD5
c13f13ef30672ca70816999b6675eca2

SHA1
ef35fbce6a939bf58dee5fd751a47287e4c1f3db

SHA256
48525443dcbb3a0db0bb2cf2e44e41a83ac863ffeda5fe21387469cc6722b737

SHA512
6a5ecfefec2e775a02b435c2ad0591e41ce15c609034d1e34c30cc8563fbcadbe392ff33dc764ea30e02d9b9f0d6ac8e79ecfef734436fab63ee8b9f9f32b0d1

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
349KB

MD5
8378cfa5c8590026b561a2de11283851

SHA1
f2ed99e66708b8c219cca1413b82a8027c8399dd

SHA256
f6418dd61168f76d154801b8e2b3671239f2032a255c30aefc58bc0c3ff5fd3f

SHA512
78404696caf7b5f415d57aff22335895f0e6346ab20875069ded6fb8a80712f00cf8f23a1584854ef6b8890013e09a78d966afe40da3ca8bba7b0cc2941e865c

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
349KB

MD5
8378cfa5c8590026b561a2de11283851

SHA1
f2ed99e66708b8c219cca1413b82a8027c8399dd

SHA256
f6418dd61168f76d154801b8e2b3671239f2032a255c30aefc58bc0c3ff5fd3f

SHA512
78404696caf7b5f415d57aff22335895f0e6346ab20875069ded6fb8a80712f00cf8f23a1584854ef6b8890013e09a78d966afe40da3ca8bba7b0cc2941e865c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
349KB

MD5
9024cd852aa0ad777ba6e7f178e9328d

SHA1
3e0785458a61d310e4171975456d9b163acc889e

SHA256
57585bef258083718aa51a84e493fa1025da390bdcbcb5c231827c24857d631e

SHA512
3285216538bbfa7dc14cd3d37a9585c7d906cea091f550d53202c6e54cb48bd4d5dee7b10e5c823fd059e75dff4e46a69c7e05ba3769d06c8d55087ead8b28a8

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
349KB

MD5
9024cd852aa0ad777ba6e7f178e9328d

SHA1
3e0785458a61d310e4171975456d9b163acc889e

SHA256
57585bef258083718aa51a84e493fa1025da390bdcbcb5c231827c24857d631e

SHA512
3285216538bbfa7dc14cd3d37a9585c7d906cea091f550d53202c6e54cb48bd4d5dee7b10e5c823fd059e75dff4e46a69c7e05ba3769d06c8d55087ead8b28a8

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
349KB

MD5
1e42a049da84be06a9cfac193910a153

SHA1
f785ea5c67678a89b7484734bcd41d4babdfc45d

SHA256
59aeb7175acb996b8ba48f983b1faa30484f6493c4ac9066342273b25224c289

SHA512
94f5454855f4bac0139bce79f7e4394daf1921ff87b92b8df722a35e7e82418303d22cac78412b12c1c16f8a4267bfde844e6c5b02d22031a871f77b1207e359

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
349KB

MD5
1e42a049da84be06a9cfac193910a153

SHA1
f785ea5c67678a89b7484734bcd41d4babdfc45d

SHA256
59aeb7175acb996b8ba48f983b1faa30484f6493c4ac9066342273b25224c289

SHA512
94f5454855f4bac0139bce79f7e4394daf1921ff87b92b8df722a35e7e82418303d22cac78412b12c1c16f8a4267bfde844e6c5b02d22031a871f77b1207e359

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
349KB

MD5
f653a3a9fa9e6e25f55609859c1787eb

SHA1
ba69f72a21692231b143705ef2e18700c5bda4bc

SHA256
696bc2fdebfb49bc3d73869f02492a5be1032a51a864dbf7ee26c92a3ed7d409

SHA512
0db55d5f2881c2b4fd229b87f31b0889afcd0330d586558c9b4706261bac653df2378c35acc4bbe992724e499709433aa938641e16b68b9432149e0de4859c64

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
349KB

MD5
f653a3a9fa9e6e25f55609859c1787eb

SHA1
ba69f72a21692231b143705ef2e18700c5bda4bc

SHA256
696bc2fdebfb49bc3d73869f02492a5be1032a51a864dbf7ee26c92a3ed7d409

SHA512
0db55d5f2881c2b4fd229b87f31b0889afcd0330d586558c9b4706261bac653df2378c35acc4bbe992724e499709433aa938641e16b68b9432149e0de4859c64

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
349KB

MD5
276e3fc94c785e152e331a216835ed04

SHA1
b35bd8fc5f7b29eececceb40dfed3570d5f7e5de

SHA256
ad476241462913f17eefbcef544657ff907c050e8a788fed578b417afd72c59a

SHA512
1e684ffade97f10f907be3b3fdfcee18adcd39493c1a4478562e468c0962fb98d9da01f3a1fe701d267db9875ef185c7e960d0ebf1d35f10745f578810ace53f

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
349KB

MD5
276e3fc94c785e152e331a216835ed04

SHA1
b35bd8fc5f7b29eececceb40dfed3570d5f7e5de

SHA256
ad476241462913f17eefbcef544657ff907c050e8a788fed578b417afd72c59a

SHA512
1e684ffade97f10f907be3b3fdfcee18adcd39493c1a4478562e468c0962fb98d9da01f3a1fe701d267db9875ef185c7e960d0ebf1d35f10745f578810ace53f

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
349KB

MD5
7e5b528743908a75cdc3086d4d0d1d03

SHA1
6ff354411ccd933e7c839fbc1365818918864da1

SHA256
f3c6743c7602ee886b755181b974018c753e241018dae396ea539b4804807099

SHA512
4eaafe5640531de7da1147e653e342019ed3bf3917dea41a33f5a3017a7c0621c2f3ddd2733f071d3799c8520869233f5c25ce36b76901f6d57f8f9e886fdf18

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
349KB

MD5
7e5b528743908a75cdc3086d4d0d1d03

SHA1
6ff354411ccd933e7c839fbc1365818918864da1

SHA256
f3c6743c7602ee886b755181b974018c753e241018dae396ea539b4804807099

SHA512
4eaafe5640531de7da1147e653e342019ed3bf3917dea41a33f5a3017a7c0621c2f3ddd2733f071d3799c8520869233f5c25ce36b76901f6d57f8f9e886fdf18

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
349KB

MD5
7e5b528743908a75cdc3086d4d0d1d03

SHA1
6ff354411ccd933e7c839fbc1365818918864da1

SHA256
f3c6743c7602ee886b755181b974018c753e241018dae396ea539b4804807099

SHA512
4eaafe5640531de7da1147e653e342019ed3bf3917dea41a33f5a3017a7c0621c2f3ddd2733f071d3799c8520869233f5c25ce36b76901f6d57f8f9e886fdf18

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
349KB

MD5
007c36911f7bdea2a22e6ecf5b3127f9

SHA1
b78b08224742a85f3e536866bf5bee4f33c7ac66

SHA256
ca64e4b22c068012f326b9cb57d0f28240c0478838192bdd0eb0094df600398c

SHA512
91c1bc35e1176e3ef7458ff9a0fb938fc00c10ce16e3d0b56fab2211b239da6ca496fa73243916726a8571c801f2e36134f3ee6f3986399f8c1939ae2645a826

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
349KB

MD5
007c36911f7bdea2a22e6ecf5b3127f9

SHA1
b78b08224742a85f3e536866bf5bee4f33c7ac66

SHA256
ca64e4b22c068012f326b9cb57d0f28240c0478838192bdd0eb0094df600398c

SHA512
91c1bc35e1176e3ef7458ff9a0fb938fc00c10ce16e3d0b56fab2211b239da6ca496fa73243916726a8571c801f2e36134f3ee6f3986399f8c1939ae2645a826

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
349KB

MD5
cbbfbb5e463afc0d608aa77b464174ff

SHA1
0d3bdffd38627b118129aa4c7b355c0e9f01d676

SHA256
748f53e268be369097ea06a32f525dfc81b7710451275d92ead8ff79583d2184

SHA512
5434ce14652a1894dc820254e717b8f46510fa42111cca2c6a4e13753c4c651f1da928a329ededf86256034915711fc4f02387a4ee6a9c0bbf1143a7430d9ae8

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
349KB

MD5
cbbfbb5e463afc0d608aa77b464174ff

SHA1
0d3bdffd38627b118129aa4c7b355c0e9f01d676

SHA256
748f53e268be369097ea06a32f525dfc81b7710451275d92ead8ff79583d2184

SHA512
5434ce14652a1894dc820254e717b8f46510fa42111cca2c6a4e13753c4c651f1da928a329ededf86256034915711fc4f02387a4ee6a9c0bbf1143a7430d9ae8

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
349KB

MD5
864f1033391a2936772f5613df66b168

SHA1
5e05fa499a65e6c7ead867acefa1d1f63fdaa4c6

SHA256
267ac51d7adb432fc2bc243f25eb42f3c666a54de8c2947613fd529ed3891380

SHA512
fea30b8871faa1d164195e0dad61e32dd49c3402de22d21a14101354f12c67bafb96bfcf5dfdbd7e86b15c6285c493a04459aa52c0c0f176ac3d44b5920bb1ac

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
349KB

MD5
864f1033391a2936772f5613df66b168

SHA1
5e05fa499a65e6c7ead867acefa1d1f63fdaa4c6

SHA256
267ac51d7adb432fc2bc243f25eb42f3c666a54de8c2947613fd529ed3891380

SHA512
fea30b8871faa1d164195e0dad61e32dd49c3402de22d21a14101354f12c67bafb96bfcf5dfdbd7e86b15c6285c493a04459aa52c0c0f176ac3d44b5920bb1ac

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
349KB

MD5
47ce3414f181751ba56d952878403549

SHA1
a9e0f0e464ca0a483e013179d29cf61f92b23dec

SHA256
612cfa5c91bfef032a3aa115d399ecf8d12e1543f2ccfe905ae7124412c28a23

SHA512
ec9f4415365d18da7e0f761d5cc0ca285c492fc9edde6af6505043c707a55dcaa7971afffa9865afb6f9a46b9890e32866e20ea454b4cf904566aa4a8bc40cf1

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
349KB

MD5
47ce3414f181751ba56d952878403549

SHA1
a9e0f0e464ca0a483e013179d29cf61f92b23dec

SHA256
612cfa5c91bfef032a3aa115d399ecf8d12e1543f2ccfe905ae7124412c28a23

SHA512
ec9f4415365d18da7e0f761d5cc0ca285c492fc9edde6af6505043c707a55dcaa7971afffa9865afb6f9a46b9890e32866e20ea454b4cf904566aa4a8bc40cf1

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
349KB

MD5
3b81da0ba902dd2c34c5944c2d688fce

SHA1
57bf7b10cea6d5a5721334fe69d39a7020facf94

SHA256
7695350d27ed6f482fdab0cb57f5d75e3d0a99f8a1bd5a0a793ec66583f09ad5

SHA512
8939605d488bb727d27232cbedaa7bfbb17c5f95b657c18ad0048970816e9ed7d418ff5e251dac8def3ce8a2fb259e70bd327fd4c656c9f82991ce1cf0ecc81e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
349KB

MD5
3b81da0ba902dd2c34c5944c2d688fce

SHA1
57bf7b10cea6d5a5721334fe69d39a7020facf94

SHA256
7695350d27ed6f482fdab0cb57f5d75e3d0a99f8a1bd5a0a793ec66583f09ad5

SHA512
8939605d488bb727d27232cbedaa7bfbb17c5f95b657c18ad0048970816e9ed7d418ff5e251dac8def3ce8a2fb259e70bd327fd4c656c9f82991ce1cf0ecc81e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
349KB

MD5
e24c632a4eda44934511d9eeb11db340

SHA1
b037cd76a7386a4425633a30ddb73949255738d0

SHA256
f69db718bd10f995d1b41d39c5a496d251ef7529799fb105906d43368d8d8873

SHA512
6d1259e001fd95968ba86eb5510108c644634b8a30d0ab02150a31bb405c87df0ded8a746eeebc6db1f93bb9ab87da79f27e07f661c170d3960356059e10d6b7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
349KB

MD5
e24c632a4eda44934511d9eeb11db340

SHA1
b037cd76a7386a4425633a30ddb73949255738d0

SHA256
f69db718bd10f995d1b41d39c5a496d251ef7529799fb105906d43368d8d8873

SHA512
6d1259e001fd95968ba86eb5510108c644634b8a30d0ab02150a31bb405c87df0ded8a746eeebc6db1f93bb9ab87da79f27e07f661c170d3960356059e10d6b7

Download Submit
memory/380-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads