70359cf325b3a507dec370073dcc4f0ccf4bc5ebaab95b136146da547fc3525e

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e11595807b8455de73fa4f715bafc42_JC.exe
Size

362KB
MD5

3e11595807b8455de73fa4f715bafc42
SHA1

4cb35b9bbdc643b2a903a8f7f9f3a26854000fd5
SHA256

70359cf325b3a507dec370073dcc4f0ccf4bc5ebaab95b136146da547fc3525e
SHA512

41f58af3a8a0a54c47f3b18bcadf7eb220e01920df11eec48016ca1f394a6b0b26af2925d43ad7d0850f81cb8e6dddf5eafb8711f5c881cf507130dfac01f891
SSDEEP

6144:RY9Tyq0hX/0h7tGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuF:qdZmX/0VtmuMtrQ07nGWxWSsmiMyh95V

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe

Executes dropped EXE 30 IoCs

pid	Process
896	Pmidog32.exe
392	Pjmehkqk.exe
4900	Qdbiedpa.exe
3496	Qnjnnj32.exe
4844	Qddfkd32.exe
3308	Adgbpc32.exe
2992	Aeiofcji.exe
964	Anadoi32.exe
4036	Andqdh32.exe
4504	Aeniabfd.exe
5084	Ajkaii32.exe
4548	Agoabn32.exe
3352	Bganhm32.exe
3448	Baicac32.exe
2092	Bcjlcn32.exe
4720	Banllbdn.exe
2000	Cndikf32.exe
2160	Ceqnmpfo.exe
3964	Cjmgfgdf.exe
852	Cnkplejl.exe
1572	Cjbpaf32.exe
4252	Djdmffnn.exe
3912	Danecp32.exe
3500	Dfknkg32.exe
1352	Dmefhako.exe
4752	Delnin32.exe
3684	Dfnjafap.exe
2104	Dmgbnq32.exe
4108	Dhocqigp.exe
440	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	3e11595807b8455de73fa4f715bafc42_JC.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	3e11595807b8455de73fa4f715bafc42_JC.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Banllbdn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4316	440	WerFault.exe	116

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3e11595807b8455de73fa4f715bafc42_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3e11595807b8455de73fa4f715bafc42_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	3e11595807b8455de73fa4f715bafc42_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 896	1164	3e11595807b8455de73fa4f715bafc42_JC.exe	85
PID 1164 wrote to memory of 896	1164	3e11595807b8455de73fa4f715bafc42_JC.exe	85
PID 1164 wrote to memory of 896	1164	3e11595807b8455de73fa4f715bafc42_JC.exe	85
PID 896 wrote to memory of 392	896	Pmidog32.exe	86
PID 896 wrote to memory of 392	896	Pmidog32.exe	86
PID 896 wrote to memory of 392	896	Pmidog32.exe	86
PID 392 wrote to memory of 4900	392	Pjmehkqk.exe	87
PID 392 wrote to memory of 4900	392	Pjmehkqk.exe	87
PID 392 wrote to memory of 4900	392	Pjmehkqk.exe	87
PID 4900 wrote to memory of 3496	4900	Qdbiedpa.exe	88
PID 4900 wrote to memory of 3496	4900	Qdbiedpa.exe	88
PID 4900 wrote to memory of 3496	4900	Qdbiedpa.exe	88
PID 3496 wrote to memory of 4844	3496	Qnjnnj32.exe	89
PID 3496 wrote to memory of 4844	3496	Qnjnnj32.exe	89
PID 3496 wrote to memory of 4844	3496	Qnjnnj32.exe	89
PID 4844 wrote to memory of 3308	4844	Qddfkd32.exe	91
PID 4844 wrote to memory of 3308	4844	Qddfkd32.exe	91
PID 4844 wrote to memory of 3308	4844	Qddfkd32.exe	91
PID 3308 wrote to memory of 2992	3308	Adgbpc32.exe	92
PID 3308 wrote to memory of 2992	3308	Adgbpc32.exe	92
PID 3308 wrote to memory of 2992	3308	Adgbpc32.exe	92
PID 2992 wrote to memory of 964	2992	Aeiofcji.exe	93
PID 2992 wrote to memory of 964	2992	Aeiofcji.exe	93
PID 2992 wrote to memory of 964	2992	Aeiofcji.exe	93
PID 964 wrote to memory of 4036	964	Anadoi32.exe	94
PID 964 wrote to memory of 4036	964	Anadoi32.exe	94
PID 964 wrote to memory of 4036	964	Anadoi32.exe	94
PID 4036 wrote to memory of 4504	4036	Andqdh32.exe	95
PID 4036 wrote to memory of 4504	4036	Andqdh32.exe	95
PID 4036 wrote to memory of 4504	4036	Andqdh32.exe	95
PID 4504 wrote to memory of 5084	4504	Aeniabfd.exe	96
PID 4504 wrote to memory of 5084	4504	Aeniabfd.exe	96
PID 4504 wrote to memory of 5084	4504	Aeniabfd.exe	96
PID 5084 wrote to memory of 4548	5084	Ajkaii32.exe	97
PID 5084 wrote to memory of 4548	5084	Ajkaii32.exe	97
PID 5084 wrote to memory of 4548	5084	Ajkaii32.exe	97
PID 4548 wrote to memory of 3352	4548	Agoabn32.exe	98
PID 4548 wrote to memory of 3352	4548	Agoabn32.exe	98
PID 4548 wrote to memory of 3352	4548	Agoabn32.exe	98
PID 3352 wrote to memory of 3448	3352	Bganhm32.exe	99
PID 3352 wrote to memory of 3448	3352	Bganhm32.exe	99
PID 3352 wrote to memory of 3448	3352	Bganhm32.exe	99
PID 3448 wrote to memory of 2092	3448	Baicac32.exe	100
PID 3448 wrote to memory of 2092	3448	Baicac32.exe	100
PID 3448 wrote to memory of 2092	3448	Baicac32.exe	100
PID 2092 wrote to memory of 4720	2092	Bcjlcn32.exe	101
PID 2092 wrote to memory of 4720	2092	Bcjlcn32.exe	101
PID 2092 wrote to memory of 4720	2092	Bcjlcn32.exe	101
PID 4720 wrote to memory of 2000	4720	Banllbdn.exe	102
PID 4720 wrote to memory of 2000	4720	Banllbdn.exe	102
PID 4720 wrote to memory of 2000	4720	Banllbdn.exe	102
PID 2000 wrote to memory of 2160	2000	Cndikf32.exe	103
PID 2000 wrote to memory of 2160	2000	Cndikf32.exe	103
PID 2000 wrote to memory of 2160	2000	Cndikf32.exe	103
PID 2160 wrote to memory of 3964	2160	Ceqnmpfo.exe	104
PID 2160 wrote to memory of 3964	2160	Ceqnmpfo.exe	104
PID 2160 wrote to memory of 3964	2160	Ceqnmpfo.exe	104
PID 3964 wrote to memory of 852	3964	Cjmgfgdf.exe	105
PID 3964 wrote to memory of 852	3964	Cjmgfgdf.exe	105
PID 3964 wrote to memory of 852	3964	Cjmgfgdf.exe	105
PID 852 wrote to memory of 1572	852	Cnkplejl.exe	106
PID 852 wrote to memory of 1572	852	Cnkplejl.exe	106
PID 852 wrote to memory of 1572	852	Cnkplejl.exe	106
PID 1572 wrote to memory of 4252	1572	Cjbpaf32.exe	114

C:\Users\Admin\AppData\Local\Temp\3e11595807b8455de73fa4f715bafc42_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3e11595807b8455de73fa4f715bafc42_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\Pmidog32.exe
  C:\Windows\system32\Pmidog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\Pjmehkqk.exe
    C:\Windows\system32\Pjmehkqk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\Qdbiedpa.exe
      C:\Windows\system32\Qdbiedpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252

C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3912
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3500
- - C:\Windows\SysWOW64\Dmefhako.exe
    C:\Windows\system32\Dmefhako.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1352

C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2104
- C:\Windows\SysWOW64\Dhocqigp.exe
  C:\Windows\system32\Dhocqigp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4108
- - C:\Windows\SysWOW64\Dmllipeg.exe
    C:\Windows\system32\Dmllipeg.exe
    3⤵
    - Executes dropped EXE
    PID:440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 416
      4⤵
      Program crash
      PID:4316

C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3684

C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 440 -ip 440
1⤵
PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
362KB

MD5
a1f820cd0cc1045405b02643156c5a1d

SHA1
0779e3eeaae886825e1247e2874d2a61f2df0c81

SHA256
3887bfae9711a4cda813dbb9445aeac60c33c37543e1992beb22b207994a0c25

SHA512
5aa9e72e48588c34d216ddbb03acc10a146ffe6932a5c68571f73ec80645c84e672472ead57c3b2759432ea30f30d5807131fab78d6076d1e32cf1f5b2e25014

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
362KB

MD5
a1f820cd0cc1045405b02643156c5a1d

SHA1
0779e3eeaae886825e1247e2874d2a61f2df0c81

SHA256
3887bfae9711a4cda813dbb9445aeac60c33c37543e1992beb22b207994a0c25

SHA512
5aa9e72e48588c34d216ddbb03acc10a146ffe6932a5c68571f73ec80645c84e672472ead57c3b2759432ea30f30d5807131fab78d6076d1e32cf1f5b2e25014

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
362KB

MD5
66e753bc46aa1049eb92915ec87a13b3

SHA1
68327c9c679ec289e4c2aa3e9796510707117907

SHA256
3834794f2075f585b9e38ffabb5cfd1c45eca5b108d3b502255b3cb170a96139

SHA512
488e11ed11cb55099630abef8e467032af60631d3587ec26a58985bd85e79d083e9e7d72e715dede8c7a391127450d169d35d6aa6de85a950f1a507e1243b7fa

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
362KB

MD5
66e753bc46aa1049eb92915ec87a13b3

SHA1
68327c9c679ec289e4c2aa3e9796510707117907

SHA256
3834794f2075f585b9e38ffabb5cfd1c45eca5b108d3b502255b3cb170a96139

SHA512
488e11ed11cb55099630abef8e467032af60631d3587ec26a58985bd85e79d083e9e7d72e715dede8c7a391127450d169d35d6aa6de85a950f1a507e1243b7fa

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
362KB

MD5
b6471adc49c087165d61260a6c3d1980

SHA1
36941a5cc29e5b7bfb5d3586a61bf24fee5524c9

SHA256
4efd1861a23e836c1e219e26440c31aa895a1cc830e8dcd02020abd6e643054e

SHA512
da99287f160d427d7a8ab9a4dd41c3e1c7f8b9706dffa9dde6b36f8f0ef72e6525509a653247316c87371ed557358ff524766087d12748a1501c150da846408d

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
362KB

MD5
b6471adc49c087165d61260a6c3d1980

SHA1
36941a5cc29e5b7bfb5d3586a61bf24fee5524c9

SHA256
4efd1861a23e836c1e219e26440c31aa895a1cc830e8dcd02020abd6e643054e

SHA512
da99287f160d427d7a8ab9a4dd41c3e1c7f8b9706dffa9dde6b36f8f0ef72e6525509a653247316c87371ed557358ff524766087d12748a1501c150da846408d

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
362KB

MD5
92d7c3f3882845181b4a02082ef456c2

SHA1
d5999d50c5b11280a5f9f6bb935868d16ca049e5

SHA256
fff4b6d8699d3563961b186e1ad13cfb8a11a9e110e147770d640c91c333cea4

SHA512
964140feb887798d9f14fa45b25a59db4cf0048b865e64b50323fe9ad5fa4cebb5ceb3e353b10bc3c6292257bfce2ad8e296208864a3338b8868c95e096e1914

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
362KB

MD5
92d7c3f3882845181b4a02082ef456c2

SHA1
d5999d50c5b11280a5f9f6bb935868d16ca049e5

SHA256
fff4b6d8699d3563961b186e1ad13cfb8a11a9e110e147770d640c91c333cea4

SHA512
964140feb887798d9f14fa45b25a59db4cf0048b865e64b50323fe9ad5fa4cebb5ceb3e353b10bc3c6292257bfce2ad8e296208864a3338b8868c95e096e1914

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
362KB

MD5
d62c0b15d79922da17bc45e5da22e6c8

SHA1
4645a4526a3672009a3b5a3002441b7dcd1172ad

SHA256
f28d43f06741e5dace764c2deef9dd86fa5576c8320ba3384fc4acedd990b477

SHA512
17d546e99d8147207b9bce8eedd04a78f7dafb9e9b1c1df5c98c215239b95d3f249baa482549d6eddcccd7372f7ac6a09b200c636fd570472b866a5e9c9f0d2d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
362KB

MD5
d62c0b15d79922da17bc45e5da22e6c8

SHA1
4645a4526a3672009a3b5a3002441b7dcd1172ad

SHA256
f28d43f06741e5dace764c2deef9dd86fa5576c8320ba3384fc4acedd990b477

SHA512
17d546e99d8147207b9bce8eedd04a78f7dafb9e9b1c1df5c98c215239b95d3f249baa482549d6eddcccd7372f7ac6a09b200c636fd570472b866a5e9c9f0d2d

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
362KB

MD5
727cf8356218d242608d8e6d2c98e244

SHA1
e651ee7116f7eb6b0db86acc6e1f68cb581729a8

SHA256
7184bb5a65ad28a9d39de295f83a8e0702e6e103aa35655bbba008c38f7a4101

SHA512
df0dcaf663c866e4887fa954652c9586403afbd9d4545ec84344ad9775505572d954086448c6d86885b5ec7e74d5f4ed616d69971ffe51f0a25e7001ad83760a

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
362KB

MD5
727cf8356218d242608d8e6d2c98e244

SHA1
e651ee7116f7eb6b0db86acc6e1f68cb581729a8

SHA256
7184bb5a65ad28a9d39de295f83a8e0702e6e103aa35655bbba008c38f7a4101

SHA512
df0dcaf663c866e4887fa954652c9586403afbd9d4545ec84344ad9775505572d954086448c6d86885b5ec7e74d5f4ed616d69971ffe51f0a25e7001ad83760a

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
362KB

MD5
657f6bd4a6a4963b7b75a6be46ba1133

SHA1
dc2fe11c828966c77ecd9919ab014059a41067e1

SHA256
181d52ef086cd86ff42d87c03ec51e4441a9f7175db523b305ea88c1ec01a770

SHA512
72ba5d55d7643fdb2021fa3e965508cfcd9486a1e6be7307c8bac4492034b85811b7a7d4777918671a00367aeea74e9205bde3f2344189f89d639ef798ea2e24

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
362KB

MD5
657f6bd4a6a4963b7b75a6be46ba1133

SHA1
dc2fe11c828966c77ecd9919ab014059a41067e1

SHA256
181d52ef086cd86ff42d87c03ec51e4441a9f7175db523b305ea88c1ec01a770

SHA512
72ba5d55d7643fdb2021fa3e965508cfcd9486a1e6be7307c8bac4492034b85811b7a7d4777918671a00367aeea74e9205bde3f2344189f89d639ef798ea2e24

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
362KB

MD5
9ac1b3c757f76886b31cf18a75367232

SHA1
6dd71ebb2ae18ad62354f049a2fd211163c1e67f

SHA256
23f6e67dfa255a3c1e0ae418daa11347e9b4bfc8b47a4a95579ab5931ac20a57

SHA512
a6aae96184812d0dd34c86e221a0c4c92bfd2315736dea7e193989cc577edd1806c39dbb131007f2156b5facb2c572e8b1984f737c6aa9bb47df9dd494e52670

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
362KB

MD5
9ac1b3c757f76886b31cf18a75367232

SHA1
6dd71ebb2ae18ad62354f049a2fd211163c1e67f

SHA256
23f6e67dfa255a3c1e0ae418daa11347e9b4bfc8b47a4a95579ab5931ac20a57

SHA512
a6aae96184812d0dd34c86e221a0c4c92bfd2315736dea7e193989cc577edd1806c39dbb131007f2156b5facb2c572e8b1984f737c6aa9bb47df9dd494e52670

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
362KB

MD5
3b2a8699a94e4defc77a2532bb78b8ca

SHA1
d7463deca2858c45802c79657d01277c9283faeb

SHA256
5a94a878f9ab598473ade8f5f069f65d98f6450598921090fa3a83bf4319c66e

SHA512
d71f27e1c812c636351f37a4d7d73d7323fefe46d6527c936edcd5a5c75a5a259bb7aa62f46674a311b4a8661a617466b8625edf7f7a4c7cca4bc5103dcf0762

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
362KB

MD5
3b2a8699a94e4defc77a2532bb78b8ca

SHA1
d7463deca2858c45802c79657d01277c9283faeb

SHA256
5a94a878f9ab598473ade8f5f069f65d98f6450598921090fa3a83bf4319c66e

SHA512
d71f27e1c812c636351f37a4d7d73d7323fefe46d6527c936edcd5a5c75a5a259bb7aa62f46674a311b4a8661a617466b8625edf7f7a4c7cca4bc5103dcf0762

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
362KB

MD5
1c0b01b7aad1120d2dfda9ad481e8aec

SHA1
96eee257cb55e5b7edb6585fa555fac8a1f92752

SHA256
2a4f722e58d05fe831a23fa51b9942aa1c4a85562b048c060634fbe491b03080

SHA512
14f7c437cd64d48d4491a9d246f2df0d294e6a68975538c150ae69e1cb80ace4923094e67db458a9c9b484731a6d196c0c8e08705c134b547b9c4862db3dfcc6

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
362KB

MD5
dcc274b5e7a49532ccf77612460a1626

SHA1
5291b07107a14a0d10abed4750cca0e774cf9114

SHA256
483a86b5c4a5e51e8f2306c416fdd1d9a6060554f01e4bea8e7ce369c2fbc4d6

SHA512
8fc6fc7064f4ad660a488fc435d6717f2ef0963c976bc0f2b8c033f6ea207a2fff08c6d53c9188f64b621be17d347cd5d9ae5694ba19f85d2d0450cbdbbe9d19

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
362KB

MD5
dcc274b5e7a49532ccf77612460a1626

SHA1
5291b07107a14a0d10abed4750cca0e774cf9114

SHA256
483a86b5c4a5e51e8f2306c416fdd1d9a6060554f01e4bea8e7ce369c2fbc4d6

SHA512
8fc6fc7064f4ad660a488fc435d6717f2ef0963c976bc0f2b8c033f6ea207a2fff08c6d53c9188f64b621be17d347cd5d9ae5694ba19f85d2d0450cbdbbe9d19

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
362KB

MD5
8afe39829a7dc871ccda2cdf940f12ed

SHA1
d40f6515c9c6e2757412ecbe047ddca9f8946ca1

SHA256
822d78dfb20487241357bb16a5a14d76807c7284db8c86809d1f07d403864a36

SHA512
de91244c9daf3b5d155b675805fbde2ee887ea2926152cdc7aed2d6044ada8b7c46d2401f249c2b5c8644d07b2e5e87d3e333cbd0bd2018e891cbb5b03d8e0d2

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
362KB

MD5
8afe39829a7dc871ccda2cdf940f12ed

SHA1
d40f6515c9c6e2757412ecbe047ddca9f8946ca1

SHA256
822d78dfb20487241357bb16a5a14d76807c7284db8c86809d1f07d403864a36

SHA512
de91244c9daf3b5d155b675805fbde2ee887ea2926152cdc7aed2d6044ada8b7c46d2401f249c2b5c8644d07b2e5e87d3e333cbd0bd2018e891cbb5b03d8e0d2

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
362KB

MD5
d8d9931ecaee52b00c02baa12ea42161

SHA1
010aad3fc1efe473a4b248308348e264b552168c

SHA256
f87627baf26dfc5f728dabcb597ac03d112709ecbe2d4eb341a14f52226fac78

SHA512
259b6be678aab2ea429dc051a24d7a0efa7db2d411699cb6ee2d3a1fe82c6bc012b1cfd7961368148b16c84183c7ca1d7cd631c906de0c510b5c7d65c79f0667

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
362KB

MD5
d8d9931ecaee52b00c02baa12ea42161

SHA1
010aad3fc1efe473a4b248308348e264b552168c

SHA256
f87627baf26dfc5f728dabcb597ac03d112709ecbe2d4eb341a14f52226fac78

SHA512
259b6be678aab2ea429dc051a24d7a0efa7db2d411699cb6ee2d3a1fe82c6bc012b1cfd7961368148b16c84183c7ca1d7cd631c906de0c510b5c7d65c79f0667

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
362KB

MD5
da7b961c397a763fabcd7b3f7c24d90c

SHA1
3b2bca5e2b86b6df809d72c528873e9f47c3d6d6

SHA256
35559b4a8a67f07934db1e3ac3109044da6b281d986a9796b0fb2ae35a8c7052

SHA512
2474ec7c345d3494dc2ecf8cb542729ba52ca5e0586ddb93417f3f06a33526ce5de6cee08459095040fe52c43faf78ba9abfd16e3acd1c96ba5089813216bacc

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
362KB

MD5
da7b961c397a763fabcd7b3f7c24d90c

SHA1
3b2bca5e2b86b6df809d72c528873e9f47c3d6d6

SHA256
35559b4a8a67f07934db1e3ac3109044da6b281d986a9796b0fb2ae35a8c7052

SHA512
2474ec7c345d3494dc2ecf8cb542729ba52ca5e0586ddb93417f3f06a33526ce5de6cee08459095040fe52c43faf78ba9abfd16e3acd1c96ba5089813216bacc

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
362KB

MD5
2372d5e0ce598b6644b3dd20a0e9dfa3

SHA1
61d6921e59b442992806e0d80ade768743433116

SHA256
bf3b35e7f1e9c572e818743439152e3a96ac9f31fd479e4cf292920436163c38

SHA512
88bd71d6a39312ea17c7dcb6f26e78a052bf4461f59817fa835aff7ac0a4d75f7bafca94976f89fe697cd6db4137be717569e8285d30e367da2d194b9f7cc6f7

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
362KB

MD5
2372d5e0ce598b6644b3dd20a0e9dfa3

SHA1
61d6921e59b442992806e0d80ade768743433116

SHA256
bf3b35e7f1e9c572e818743439152e3a96ac9f31fd479e4cf292920436163c38

SHA512
88bd71d6a39312ea17c7dcb6f26e78a052bf4461f59817fa835aff7ac0a4d75f7bafca94976f89fe697cd6db4137be717569e8285d30e367da2d194b9f7cc6f7

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
362KB

MD5
5017a53be56d35ec4041d929c4206d66

SHA1
645057d9ccba225a906b725b3dae69a2d8c00985

SHA256
49417f88357e3a8b1270ffc86d2ccfd24f1578ef596081b3e27e4b500f0d38b1

SHA512
dfb4cb459806622f364a652e8416f9edb7fe33f2a5736d7771c67b903314e9a2eb982a3b6f1162c25b665ad0dc37bfd5893bade9bab8c606166c4cc247f96eb7

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
362KB

MD5
5017a53be56d35ec4041d929c4206d66

SHA1
645057d9ccba225a906b725b3dae69a2d8c00985

SHA256
49417f88357e3a8b1270ffc86d2ccfd24f1578ef596081b3e27e4b500f0d38b1

SHA512
dfb4cb459806622f364a652e8416f9edb7fe33f2a5736d7771c67b903314e9a2eb982a3b6f1162c25b665ad0dc37bfd5893bade9bab8c606166c4cc247f96eb7

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
362KB

MD5
6837ce91857586c74a06e8bcd3acd5b6

SHA1
ac35670fcd763f131e56b68b5aed0f842df74ace

SHA256
33c2541840f124e5178c2e3576fe0fecdf4c4ce01225ebba5db7907eb7506e9c

SHA512
66f65b051aff4da29e6bd548b53dd71983caae8fd601f7fbf914a18774eebde90662fd0a5070cb79cf7f02ff054eb7e535486f6b10754e232b8d27e8779e0bee

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
362KB

MD5
6837ce91857586c74a06e8bcd3acd5b6

SHA1
ac35670fcd763f131e56b68b5aed0f842df74ace

SHA256
33c2541840f124e5178c2e3576fe0fecdf4c4ce01225ebba5db7907eb7506e9c

SHA512
66f65b051aff4da29e6bd548b53dd71983caae8fd601f7fbf914a18774eebde90662fd0a5070cb79cf7f02ff054eb7e535486f6b10754e232b8d27e8779e0bee

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
362KB

MD5
68cba7f04344ee2299685ad87a62225e

SHA1
2b26190c0e553e302e66e346d52458617d8139c2

SHA256
7c76ed6749bcc639a497f23d3a5e8b5307fddb6d87dc97788d796fd56ec8d018

SHA512
8a1ab603af6d7c7b74c41847429589fc5f706d687bf15a9b0a28cb60d178d8f72e16931c33fe85ec126c89b294b81accda7cec73b61243b4872c5be6a14b7627

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
362KB

MD5
68cba7f04344ee2299685ad87a62225e

SHA1
2b26190c0e553e302e66e346d52458617d8139c2

SHA256
7c76ed6749bcc639a497f23d3a5e8b5307fddb6d87dc97788d796fd56ec8d018

SHA512
8a1ab603af6d7c7b74c41847429589fc5f706d687bf15a9b0a28cb60d178d8f72e16931c33fe85ec126c89b294b81accda7cec73b61243b4872c5be6a14b7627

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
362KB

MD5
4a645dda86aada3995f50897272a1616

SHA1
b9e91694e0c4471a65ff041dcb236cba424cac24

SHA256
24ec43575c5fa640e2dd77adeec75b54b5eb004745e934b0dfe3bba0e9a077d0

SHA512
153e9160bc9a8fe3bfdffefa489d4c91a01cd8acecf70dfd843c63960d96af8365500f9a5affb2f83ad3614f28ffcdedc01e0766b5dc73da7ca7c05a6c694af4

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
362KB

MD5
4a645dda86aada3995f50897272a1616

SHA1
b9e91694e0c4471a65ff041dcb236cba424cac24

SHA256
24ec43575c5fa640e2dd77adeec75b54b5eb004745e934b0dfe3bba0e9a077d0

SHA512
153e9160bc9a8fe3bfdffefa489d4c91a01cd8acecf70dfd843c63960d96af8365500f9a5affb2f83ad3614f28ffcdedc01e0766b5dc73da7ca7c05a6c694af4

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
362KB

MD5
81bac420abda5b1657bfcee455ad5102

SHA1
75edcacd35261fde7e76b81c4b72d235fb1459be

SHA256
498eff720ad4065c6d391f098bf052a5ab7ee871db93d6448398fc19ca63297f

SHA512
ce81b7ad4136f0516bf1a05c9e590cc30669826e34d4893687ed0a6f87851dea7ba148e5b96d4b8247d3e0552abbc42a04b4e896090f35c481a26fb3bc4c4024

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
362KB

MD5
81bac420abda5b1657bfcee455ad5102

SHA1
75edcacd35261fde7e76b81c4b72d235fb1459be

SHA256
498eff720ad4065c6d391f098bf052a5ab7ee871db93d6448398fc19ca63297f

SHA512
ce81b7ad4136f0516bf1a05c9e590cc30669826e34d4893687ed0a6f87851dea7ba148e5b96d4b8247d3e0552abbc42a04b4e896090f35c481a26fb3bc4c4024

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
362KB

MD5
9b63065755d4007bee2c8a9ae9c78b46

SHA1
4c3d334519273b4499ecbedbfc03e592b08b8297

SHA256
b6f52a5cd43760f54e75ec6c1457cdd3b04012c9cc5ca17ff6cec31b9a45a260

SHA512
bec41a72d778e00fffb5d90aa149eb5c604963bda2eed20de4c4ab028f0d973919738f62ee97ec79a17c96d46ea6e3565dbee11f11213fd27eef772ef7d83938

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
362KB

MD5
9b63065755d4007bee2c8a9ae9c78b46

SHA1
4c3d334519273b4499ecbedbfc03e592b08b8297

SHA256
b6f52a5cd43760f54e75ec6c1457cdd3b04012c9cc5ca17ff6cec31b9a45a260

SHA512
bec41a72d778e00fffb5d90aa149eb5c604963bda2eed20de4c4ab028f0d973919738f62ee97ec79a17c96d46ea6e3565dbee11f11213fd27eef772ef7d83938

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
362KB

MD5
6ac4092ccfb15bc1321d2fb45a1ea523

SHA1
4789c0a34a4b4dbd3c1d3399598130cba3b1215b

SHA256
dfc14d3f689a62901fafcd5386a879bf310b615fb45d74122aef20d034b51640

SHA512
e86090d59f20a31b42613dfe897d56ac5c5e864165ecdf88775dc667775b02dc1be252a6fa2665e2593f01f072062b0bf9cdf0deeece815c5dd36c6304a75743

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
362KB

MD5
6ac4092ccfb15bc1321d2fb45a1ea523

SHA1
4789c0a34a4b4dbd3c1d3399598130cba3b1215b

SHA256
dfc14d3f689a62901fafcd5386a879bf310b615fb45d74122aef20d034b51640

SHA512
e86090d59f20a31b42613dfe897d56ac5c5e864165ecdf88775dc667775b02dc1be252a6fa2665e2593f01f072062b0bf9cdf0deeece815c5dd36c6304a75743

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
362KB

MD5
d0e4d3cf3bd8a87cc13067a08c17a8d1

SHA1
e02dbeb0f527fa36008f564c97d07b2fe0ea76e2

SHA256
cbb0391015bc1a8f869de94d28e80e5e8a8998ed9e236ede1503ce8533ccc8d0

SHA512
f1b06ebe5598d476a130cca5b6d80ef7950121ca2acf8840ea04e0e104c11b15ba04850049ec6f6d9e4804186d13a52f292bd905aef2d0750ab78e1a77cbce6e

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
362KB

MD5
d0e4d3cf3bd8a87cc13067a08c17a8d1

SHA1
e02dbeb0f527fa36008f564c97d07b2fe0ea76e2

SHA256
cbb0391015bc1a8f869de94d28e80e5e8a8998ed9e236ede1503ce8533ccc8d0

SHA512
f1b06ebe5598d476a130cca5b6d80ef7950121ca2acf8840ea04e0e104c11b15ba04850049ec6f6d9e4804186d13a52f292bd905aef2d0750ab78e1a77cbce6e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
362KB

MD5
104955b639774d7540773c1ef2d4339a

SHA1
646d115d2a714118aa6889197432648601feffcf

SHA256
8ba50e10bc0941e7fbfbced8831d6256aeb758ca73c5dfa23c4a6afb80061206

SHA512
19d338d2df4e4ccc4934ed35aae888f4cf04e15794c2530ff10586ab89760ceeba5baa91a44bd1703d285514b99932a29ad13cfb00c79323d63d39ac44ae68b7

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
362KB

MD5
104955b639774d7540773c1ef2d4339a

SHA1
646d115d2a714118aa6889197432648601feffcf

SHA256
8ba50e10bc0941e7fbfbced8831d6256aeb758ca73c5dfa23c4a6afb80061206

SHA512
19d338d2df4e4ccc4934ed35aae888f4cf04e15794c2530ff10586ab89760ceeba5baa91a44bd1703d285514b99932a29ad13cfb00c79323d63d39ac44ae68b7

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
362KB

MD5
0c6b3261c46ae1de2a8dca51bd63e612

SHA1
bdb757e08c86a44e7a58c1a84bdc128d476f03f4

SHA256
791d76d4cb5828f58551e1855ba41363e5389327ee3c7e464f191e71d3226118

SHA512
ef3545d14e58a1f2c57598e222d2b7abcd4ea09244198a0f1a2bb3cb2a8a61d90eac02b39f0a622d6358a4ff4e0053be484532e9b764efa6ba26b624012da9f2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
362KB

MD5
0c6b3261c46ae1de2a8dca51bd63e612

SHA1
bdb757e08c86a44e7a58c1a84bdc128d476f03f4

SHA256
791d76d4cb5828f58551e1855ba41363e5389327ee3c7e464f191e71d3226118

SHA512
ef3545d14e58a1f2c57598e222d2b7abcd4ea09244198a0f1a2bb3cb2a8a61d90eac02b39f0a622d6358a4ff4e0053be484532e9b764efa6ba26b624012da9f2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
362KB

MD5
0dd00349f1f792bd2c430c0b596fb4e3

SHA1
b29a02b68b20a7a6dcad26b7ae51719678227217

SHA256
1bef6976975dc1b5a813507015bd0922cf6a8e39de309f1241b8896ea3dbc3ce

SHA512
ed0f62fba70fd877e867d021c105ce43bf75fa4e2ed3d8f8b47b9f9c559613df15e9df70ea9a8af53e9a041b5439d1ede43600f8a178613cae011af3b1f0a176

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
362KB

MD5
0dd00349f1f792bd2c430c0b596fb4e3

SHA1
b29a02b68b20a7a6dcad26b7ae51719678227217

SHA256
1bef6976975dc1b5a813507015bd0922cf6a8e39de309f1241b8896ea3dbc3ce

SHA512
ed0f62fba70fd877e867d021c105ce43bf75fa4e2ed3d8f8b47b9f9c559613df15e9df70ea9a8af53e9a041b5439d1ede43600f8a178613cae011af3b1f0a176

Download Submit
C:\Windows\SysWOW64\Hjfgfh32.dll

Filesize
7KB

MD5
c3ec67627f4f27abd7dfa75942d7a921

SHA1
4c79158d4ca9be4d44626ddd13ad498686c7dcfd

SHA256
730c54593c530e4834d4e7a66a381a2d25930fd9d6a20676f14a9d0927223a20

SHA512
b04a0a8e61af9f9af0cd2207f8a104396b910fa24fb849e95450268603a621495fcaf8720d4c3efaecdf04cc7bff92e6145d414bfb127c2b9a924c65a6f56f87

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
362KB

MD5
3a4fb9baee7bd8e80ddbee987c9ff465

SHA1
e2734eaf9b0651f3424dbe80fe8de22d51af279f

SHA256
cacc8d4a006d5ab43f53ed1d43adb3b5fa4eb765843f28709b7d04cf9aeceb95

SHA512
bd72c9a66c4a57f338abc93b281157960c81bf47167d9c3840925dbe410ecb95328a0c671616313a89adce24ce80a83deb9204001a97ae42aa8b52e21458c5fb

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
362KB

MD5
3a4fb9baee7bd8e80ddbee987c9ff465

SHA1
e2734eaf9b0651f3424dbe80fe8de22d51af279f

SHA256
cacc8d4a006d5ab43f53ed1d43adb3b5fa4eb765843f28709b7d04cf9aeceb95

SHA512
bd72c9a66c4a57f338abc93b281157960c81bf47167d9c3840925dbe410ecb95328a0c671616313a89adce24ce80a83deb9204001a97ae42aa8b52e21458c5fb

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
362KB

MD5
3706afb2dbf25c3e2ec91ddafccd6072

SHA1
0206dd8c3de1bb7cc2e94bc86e99a5b101632a8e

SHA256
14dc2ccb83b6e29d0ea4f13e7e6fb42d5b005eb1d59282eef1f67e4897965cab

SHA512
82f3edbd245adbdd5ea60f4931ded02643249fb748f317020d2b01b8545ae8c0cdb4ddc3da5f701fb10f35e7e9f1b6575b36b0071a0cb11f7ac4c8f7d69ab832

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
362KB

MD5
3706afb2dbf25c3e2ec91ddafccd6072

SHA1
0206dd8c3de1bb7cc2e94bc86e99a5b101632a8e

SHA256
14dc2ccb83b6e29d0ea4f13e7e6fb42d5b005eb1d59282eef1f67e4897965cab

SHA512
82f3edbd245adbdd5ea60f4931ded02643249fb748f317020d2b01b8545ae8c0cdb4ddc3da5f701fb10f35e7e9f1b6575b36b0071a0cb11f7ac4c8f7d69ab832

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
362KB

MD5
14e5f5f88a3a6e8d7b505e7f5f37d6b6

SHA1
8cb4ad9b30f3739d6b20dc8103c42710218b8f16

SHA256
7a86003859eb42926b93879cf6eb11fb4266a3cfb4dbf381d986847ad94703c4

SHA512
efe2f192679a36413df05f561c011f9f44dc6d56a6fb1103bce6c7afc4ccf0ad97b8dce34f60f59f68c10486dc8c2c329ff2e163f44c04fd6b075455598f1035

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
362KB

MD5
14e5f5f88a3a6e8d7b505e7f5f37d6b6

SHA1
8cb4ad9b30f3739d6b20dc8103c42710218b8f16

SHA256
7a86003859eb42926b93879cf6eb11fb4266a3cfb4dbf381d986847ad94703c4

SHA512
efe2f192679a36413df05f561c011f9f44dc6d56a6fb1103bce6c7afc4ccf0ad97b8dce34f60f59f68c10486dc8c2c329ff2e163f44c04fd6b075455598f1035

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
362KB

MD5
efcd9fbf6e5c68ac8e546f55ccc2f1b4

SHA1
b37adb5ff071a40f50ccc6857a97aea80d761e4f

SHA256
56fd895d4d11f89013d2b76ea7a53b3ebf2d8924bd7012d7baccf904dfa05dff

SHA512
14e80e570f401d9afb21d32a4557046026493b5772bb4185a18d658ab44dac2841bf0581daad7313a8e398b9b75056c6ed55e28b5bd222f7303be1f7a35fac1f

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
362KB

MD5
efcd9fbf6e5c68ac8e546f55ccc2f1b4

SHA1
b37adb5ff071a40f50ccc6857a97aea80d761e4f

SHA256
56fd895d4d11f89013d2b76ea7a53b3ebf2d8924bd7012d7baccf904dfa05dff

SHA512
14e80e570f401d9afb21d32a4557046026493b5772bb4185a18d658ab44dac2841bf0581daad7313a8e398b9b75056c6ed55e28b5bd222f7303be1f7a35fac1f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
362KB

MD5
40f706c22f261387ce80734bf81bf495

SHA1
8c1feb91d9ee2d1598bb4dbd523fe40cfdbc8ff9

SHA256
0457fae22cdb94b25315e5f5aa4d0a952918eecffbc1fae070ccfaabfce29664

SHA512
10967e580e6c733081ef787d640f9a17e208fa271e37eb1c3e0f6f1b234c9ab3fed51735de1a348aea69cfcb60a4d34c1f3291dc9892814ecbc414ff4d1d065e

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
362KB

MD5
40f706c22f261387ce80734bf81bf495

SHA1
8c1feb91d9ee2d1598bb4dbd523fe40cfdbc8ff9

SHA256
0457fae22cdb94b25315e5f5aa4d0a952918eecffbc1fae070ccfaabfce29664

SHA512
10967e580e6c733081ef787d640f9a17e208fa271e37eb1c3e0f6f1b234c9ab3fed51735de1a348aea69cfcb60a4d34c1f3291dc9892814ecbc414ff4d1d065e

Download Submit
memory/392-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/896-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/896-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1164-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1164-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-227-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3352-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3352-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-34-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4844-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads