0d099227603d99cf5eac9208e9c24d0b6e91dd85d695c3fdeb91744d2910d1e7

Analysis

max time kernel
188s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 08:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Size

80KB
MD5

d89a9a68d41ae029b3bd1c962218d04a
SHA1

d1ca5f63ee816e0f115d8b67e8b02ec70270863b
SHA256

0d099227603d99cf5eac9208e9c24d0b6e91dd85d695c3fdeb91744d2910d1e7
SHA512

f3e1b86c722288bc44261170f9e27dcb56787124cf1432c888915d2d255b578958faf9fabeb778c0e7b728d0615e62dac62a087ee8be93d0e7f5a3aba4056b25
SSDEEP

1536:3yg/7cXWpGML1fP3h4B0vAqEcjiCFiJmZXU2LtJ+wfi+TjRC/6i:3yC7cX0H1fZ4Bs/jiCFiJmZXtSwf1TjE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmladm32.exe

Executes dropped EXE 25 IoCs

pid	Process
3860	Qfmfefni.exe
2072	Acqgojmb.exe
1228	Apggckbf.exe
1876	Aagdnn32.exe
4596	Aibibp32.exe
1352	Abjmkf32.exe
3736	Ajdbac32.exe
4640	Bboffejp.exe
228	Bmdkcnie.exe
3976	Bkkhbb32.exe
4716	Bmladm32.exe
4496	Cgfbbb32.exe
3168	Cgklmacf.exe
4660	Cpfmlghd.exe
2736	Dknnoofg.exe
4636	Dgdncplk.exe
4956	Dnqcfjae.exe
4576	Dcphdqmj.exe
4608	Eaceghcg.exe
3676	Ekljpm32.exe
3372	Ejagaj32.exe
2512	Eajlhg32.exe
2224	Fqphic32.exe
4016	Fklcgk32.exe
4800	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Bboffejp.exe	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmladm32.exe	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Aibibp32.exe
File created	C:\Windows\SysWOW64\Fnihje32.dll	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Ekljpm32.exe	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Eaceghcg.exe	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Apggckbf.exe	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Bmladm32.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Aibibp32.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fboecfii.exe
File opened for modification	C:\Windows\SysWOW64\Acqgojmb.exe	Qfmfefni.exe
File opened for modification	C:\Windows\SysWOW64\Apggckbf.exe	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Mmebednk.dll	Aagdnn32.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Dcphdqmj.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ipimhnjc.dll	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
File created	C:\Windows\SysWOW64\Aibibp32.exe	Aagdnn32.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Ekljpm32.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Jjjfeo32.dll	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Ghpkld32.dll	Apggckbf.exe
File created	C:\Windows\SysWOW64\Bmdkcnie.exe	Bboffejp.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Bboffejp.exe
File opened for modification	C:\Windows\SysWOW64\Bkkhbb32.exe	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Qfmfefni.exe	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dknnoofg.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ekljpm32.exe	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Acqgojmb.exe	Qfmfefni.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3444	4800	WerFault.exe	112

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll"	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpkld32.dll"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d89a9a68d41ae029b3bd1c962218d04a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihje32.dll"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboffejp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmladm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3860	5052	d89a9a68d41ae029b3bd1c962218d04a_JC.exe	86
PID 5052 wrote to memory of 3860	5052	d89a9a68d41ae029b3bd1c962218d04a_JC.exe	86
PID 5052 wrote to memory of 3860	5052	d89a9a68d41ae029b3bd1c962218d04a_JC.exe	86
PID 3860 wrote to memory of 2072	3860	Qfmfefni.exe	87
PID 3860 wrote to memory of 2072	3860	Qfmfefni.exe	87
PID 3860 wrote to memory of 2072	3860	Qfmfefni.exe	87
PID 2072 wrote to memory of 1228	2072	Acqgojmb.exe	88
PID 2072 wrote to memory of 1228	2072	Acqgojmb.exe	88
PID 2072 wrote to memory of 1228	2072	Acqgojmb.exe	88
PID 1228 wrote to memory of 1876	1228	Apggckbf.exe	89
PID 1228 wrote to memory of 1876	1228	Apggckbf.exe	89
PID 1228 wrote to memory of 1876	1228	Apggckbf.exe	89
PID 1876 wrote to memory of 4596	1876	Aagdnn32.exe	90
PID 1876 wrote to memory of 4596	1876	Aagdnn32.exe	90
PID 1876 wrote to memory of 4596	1876	Aagdnn32.exe	90
PID 4596 wrote to memory of 1352	4596	Aibibp32.exe	91
PID 4596 wrote to memory of 1352	4596	Aibibp32.exe	91
PID 4596 wrote to memory of 1352	4596	Aibibp32.exe	91
PID 1352 wrote to memory of 3736	1352	Abjmkf32.exe	92
PID 1352 wrote to memory of 3736	1352	Abjmkf32.exe	92
PID 1352 wrote to memory of 3736	1352	Abjmkf32.exe	92
PID 3736 wrote to memory of 4640	3736	Ajdbac32.exe	93
PID 3736 wrote to memory of 4640	3736	Ajdbac32.exe	93
PID 3736 wrote to memory of 4640	3736	Ajdbac32.exe	93
PID 4640 wrote to memory of 228	4640	Bboffejp.exe	94
PID 4640 wrote to memory of 228	4640	Bboffejp.exe	94
PID 4640 wrote to memory of 228	4640	Bboffejp.exe	94
PID 228 wrote to memory of 3976	228	Bmdkcnie.exe	95
PID 228 wrote to memory of 3976	228	Bmdkcnie.exe	95
PID 228 wrote to memory of 3976	228	Bmdkcnie.exe	95
PID 3976 wrote to memory of 4716	3976	Bkkhbb32.exe	96
PID 3976 wrote to memory of 4716	3976	Bkkhbb32.exe	96
PID 3976 wrote to memory of 4716	3976	Bkkhbb32.exe	96
PID 4716 wrote to memory of 4496	4716	Bmladm32.exe	97
PID 4716 wrote to memory of 4496	4716	Bmladm32.exe	97
PID 4716 wrote to memory of 4496	4716	Bmladm32.exe	97
PID 4496 wrote to memory of 3168	4496	Cgfbbb32.exe	98
PID 4496 wrote to memory of 3168	4496	Cgfbbb32.exe	98
PID 4496 wrote to memory of 3168	4496	Cgfbbb32.exe	98
PID 3168 wrote to memory of 4660	3168	Cgklmacf.exe	99
PID 3168 wrote to memory of 4660	3168	Cgklmacf.exe	99
PID 3168 wrote to memory of 4660	3168	Cgklmacf.exe	99
PID 4660 wrote to memory of 2736	4660	Cpfmlghd.exe	100
PID 4660 wrote to memory of 2736	4660	Cpfmlghd.exe	100
PID 4660 wrote to memory of 2736	4660	Cpfmlghd.exe	100
PID 2736 wrote to memory of 4636	2736	Dknnoofg.exe	101
PID 2736 wrote to memory of 4636	2736	Dknnoofg.exe	101
PID 2736 wrote to memory of 4636	2736	Dknnoofg.exe	101
PID 4636 wrote to memory of 4956	4636	Dgdncplk.exe	103
PID 4636 wrote to memory of 4956	4636	Dgdncplk.exe	103
PID 4636 wrote to memory of 4956	4636	Dgdncplk.exe	103
PID 4956 wrote to memory of 4576	4956	Dnqcfjae.exe	104
PID 4956 wrote to memory of 4576	4956	Dnqcfjae.exe	104
PID 4956 wrote to memory of 4576	4956	Dnqcfjae.exe	104
PID 4576 wrote to memory of 4608	4576	Dcphdqmj.exe	105
PID 4576 wrote to memory of 4608	4576	Dcphdqmj.exe	105
PID 4576 wrote to memory of 4608	4576	Dcphdqmj.exe	105
PID 4608 wrote to memory of 3676	4608	Eaceghcg.exe	106
PID 4608 wrote to memory of 3676	4608	Eaceghcg.exe	106
PID 4608 wrote to memory of 3676	4608	Eaceghcg.exe	106
PID 3676 wrote to memory of 3372	3676	Ekljpm32.exe	107
PID 3676 wrote to memory of 3372	3676	Ekljpm32.exe	107
PID 3676 wrote to memory of 3372	3676	Ekljpm32.exe	107
PID 3372 wrote to memory of 2512	3372	Ejagaj32.exe	108

C:\Users\Admin\AppData\Local\Temp\d89a9a68d41ae029b3bd1c962218d04a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d89a9a68d41ae029b3bd1c962218d04a_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Qfmfefni.exe
  C:\Windows\system32\Qfmfefni.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\Acqgojmb.exe
    C:\Windows\system32\Acqgojmb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\Apggckbf.exe
      C:\Windows\system32\Apggckbf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        27⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 400
        28⤵
        Program crash
        
        PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4800 -ip 4800
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
80KB

MD5
d2731694bb1ceb15099f64eb02582399

SHA1
4caec564a9ff608db880373c3a6df264be9b8d84

SHA256
f26dcc7ecbfabfe4d59f73e52f8386a06d066d3e5dceb8041efc08587978fd98

SHA512
f04a775045a7ed6460d4e465768454adb02df64af7994b457031374548dfda242eff87d604633fd99d20859571bbf8524348ad144dffc55b3efa715527791240

Download Submit
C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
80KB

MD5
d2731694bb1ceb15099f64eb02582399

SHA1
4caec564a9ff608db880373c3a6df264be9b8d84

SHA256
f26dcc7ecbfabfe4d59f73e52f8386a06d066d3e5dceb8041efc08587978fd98

SHA512
f04a775045a7ed6460d4e465768454adb02df64af7994b457031374548dfda242eff87d604633fd99d20859571bbf8524348ad144dffc55b3efa715527791240

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
80KB

MD5
e49dbca8eee962dfa980052c675c399a

SHA1
6a9008ad6f513f8268eef25bfe8144b59a02cddb

SHA256
413b530ac460d10f01cf6cb733dc7fe3803889f99990825888223e793ab9f5d3

SHA512
3e1883c36009695f31f41c1145b1f81f4375ca2e79577972ea19db2e083723d91f53b761647bdec98ea14a89276f1f8e26ee913288d2c92b061b98de7d84561f

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
80KB

MD5
e49dbca8eee962dfa980052c675c399a

SHA1
6a9008ad6f513f8268eef25bfe8144b59a02cddb

SHA256
413b530ac460d10f01cf6cb733dc7fe3803889f99990825888223e793ab9f5d3

SHA512
3e1883c36009695f31f41c1145b1f81f4375ca2e79577972ea19db2e083723d91f53b761647bdec98ea14a89276f1f8e26ee913288d2c92b061b98de7d84561f

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
80KB

MD5
dbf9879b848998029f6b16d8aec89881

SHA1
9891a8cc95a5117c17ebbf13eea9f1ee819b097d

SHA256
9ce1c7a79702291e801ccb290b4d788fed566eda3bac907a8abfa169b69470b7

SHA512
23c2257b9d3c394817cfb5ae506c6ac354b90e3ed62a7c35f8dc334762d59c101ff6881a7a398e80501af00bc8698f5e4d586bbb23dd362aed57a60e89d0ca13

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
80KB

MD5
dbf9879b848998029f6b16d8aec89881

SHA1
9891a8cc95a5117c17ebbf13eea9f1ee819b097d

SHA256
9ce1c7a79702291e801ccb290b4d788fed566eda3bac907a8abfa169b69470b7

SHA512
23c2257b9d3c394817cfb5ae506c6ac354b90e3ed62a7c35f8dc334762d59c101ff6881a7a398e80501af00bc8698f5e4d586bbb23dd362aed57a60e89d0ca13

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
80KB

MD5
de4a637702b47f7dcf8f406f0a15547b

SHA1
c6225cc9cc702a3e997f62b53699d37d301c3e86

SHA256
ec11cf5bedcf009bfd8d26a3d78aea9303e8ceb376de7a64a27f70a2d2594e16

SHA512
291a262fcea4aaa961da8a58486ac76976c75d17eeac686a115dd1f4ff1dc8b63d918dd2251b8af50703fb2dbd53789eb44b40518a559c1d2e17ce620c2cccab

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
80KB

MD5
de4a637702b47f7dcf8f406f0a15547b

SHA1
c6225cc9cc702a3e997f62b53699d37d301c3e86

SHA256
ec11cf5bedcf009bfd8d26a3d78aea9303e8ceb376de7a64a27f70a2d2594e16

SHA512
291a262fcea4aaa961da8a58486ac76976c75d17eeac686a115dd1f4ff1dc8b63d918dd2251b8af50703fb2dbd53789eb44b40518a559c1d2e17ce620c2cccab

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
80KB

MD5
5446d35102ea74ec7133fa62de3eee59

SHA1
71982d7f8e6201c0585eb73487fd63beaabbafb1

SHA256
a893f1b2a90743f9f40b460e4def7a7dd1247f8cda82eb7d25b60c36aa3c57bd

SHA512
bd7c10a1952fe953b485a4a9c2fb43a5993e56769737923d2dacc4acfaabda876556113d4477ee0f984cb4524caf468f8728c9b1513b076ca1df57704b10fba5

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
80KB

MD5
5446d35102ea74ec7133fa62de3eee59

SHA1
71982d7f8e6201c0585eb73487fd63beaabbafb1

SHA256
a893f1b2a90743f9f40b460e4def7a7dd1247f8cda82eb7d25b60c36aa3c57bd

SHA512
bd7c10a1952fe953b485a4a9c2fb43a5993e56769737923d2dacc4acfaabda876556113d4477ee0f984cb4524caf468f8728c9b1513b076ca1df57704b10fba5

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
80KB

MD5
e3e5b05b92b455e0d4adc515520e8443

SHA1
54ae6c15705bd4e86b31e8e72c5999d29637121a

SHA256
b7df56f0b4f381711d70aed838aa0a6e89d6b4692a6100f44ccd26c2746b02cf

SHA512
1a4dfb560d5aad2f58720f0de39664919abdae5d82f1eb423e6bc3dc9b8f3b2778be51f77495390cded7e3cb7ca8ab03c1ac90d06f4064e333a7fe2c213d64f5

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
80KB

MD5
e3e5b05b92b455e0d4adc515520e8443

SHA1
54ae6c15705bd4e86b31e8e72c5999d29637121a

SHA256
b7df56f0b4f381711d70aed838aa0a6e89d6b4692a6100f44ccd26c2746b02cf

SHA512
1a4dfb560d5aad2f58720f0de39664919abdae5d82f1eb423e6bc3dc9b8f3b2778be51f77495390cded7e3cb7ca8ab03c1ac90d06f4064e333a7fe2c213d64f5

Download Submit
C:\Windows\SysWOW64\Bboffejp.exe

Filesize
80KB

MD5
eda5874d071e0f5d3d4526419f802c3c

SHA1
52b773c9d84c1aa5551bc8e2df28552e0c2b272a

SHA256
5e01d64a7be58eb7fbff738fab47d09bb3ba72e66d5fb4248947010c111871f3

SHA512
f7acdad4f574f9de8f61e89c3f76d6d630169cc1232091a10e8a5e0333a3a1bc8eef2a5ed6a4aa1c47f271651a885ed32d8fb89c9849010044d0d3f40e5df707

Download Submit
C:\Windows\SysWOW64\Bboffejp.exe

Filesize
80KB

MD5
eda5874d071e0f5d3d4526419f802c3c

SHA1
52b773c9d84c1aa5551bc8e2df28552e0c2b272a

SHA256
5e01d64a7be58eb7fbff738fab47d09bb3ba72e66d5fb4248947010c111871f3

SHA512
f7acdad4f574f9de8f61e89c3f76d6d630169cc1232091a10e8a5e0333a3a1bc8eef2a5ed6a4aa1c47f271651a885ed32d8fb89c9849010044d0d3f40e5df707

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
80KB

MD5
3a437b4e2e352e6f9bf65e45db680fbd

SHA1
938fdd96b46c2c9da669f22f84b65d68b8c6157b

SHA256
0d7ee296dc6459c7407ee0e6d460cca2c89d9ae3b5ae9e364f517065f4b0125c

SHA512
c3c5084283298b43f1bb14e67094bc930892e113d450e4270333a701dbd1af2bd3a4a58da01bcff0da8b08cca0bac3c265ec9e9b739968ea8ef48596884d20b5

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
80KB

MD5
3a437b4e2e352e6f9bf65e45db680fbd

SHA1
938fdd96b46c2c9da669f22f84b65d68b8c6157b

SHA256
0d7ee296dc6459c7407ee0e6d460cca2c89d9ae3b5ae9e364f517065f4b0125c

SHA512
c3c5084283298b43f1bb14e67094bc930892e113d450e4270333a701dbd1af2bd3a4a58da01bcff0da8b08cca0bac3c265ec9e9b739968ea8ef48596884d20b5

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
80KB

MD5
1b84b4261e42385dc40fc95c07b4970c

SHA1
07424de6b2780b36a83f020a6a83f37c6f022883

SHA256
a3fed9f6b41bc953664a931bfde321a268ef1b047ddb3dde6d7135f9a9f12dd7

SHA512
ec20c91ca18fd5095dfa2066de0a0e6ad34017dd3d1a20f39f57bc725a7b18297623642729d434baf38ef6d08284594f2d84a2bfc1b6ca2f96ce67a549cb030c

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
80KB

MD5
1b84b4261e42385dc40fc95c07b4970c

SHA1
07424de6b2780b36a83f020a6a83f37c6f022883

SHA256
a3fed9f6b41bc953664a931bfde321a268ef1b047ddb3dde6d7135f9a9f12dd7

SHA512
ec20c91ca18fd5095dfa2066de0a0e6ad34017dd3d1a20f39f57bc725a7b18297623642729d434baf38ef6d08284594f2d84a2bfc1b6ca2f96ce67a549cb030c

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
80KB

MD5
5b44b43cd4e0c1672b1fba9b382a89be

SHA1
f541c2ba2e9a5c3bca6f92ae86da8df75e52299d

SHA256
6e3b03ac1386a3131b5a3cabf8ca8f47c5f4300bdeebe3b3c1c130fba14af1a5

SHA512
3f51140452e51ccbf49f6a9744cd488e99497fc1360be38f9507214dce3eb299d5bd4b5d2003a2801687e876b50ccbf18ca3c0491e8a03529666d9cd43ac17ec

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
80KB

MD5
5b44b43cd4e0c1672b1fba9b382a89be

SHA1
f541c2ba2e9a5c3bca6f92ae86da8df75e52299d

SHA256
6e3b03ac1386a3131b5a3cabf8ca8f47c5f4300bdeebe3b3c1c130fba14af1a5

SHA512
3f51140452e51ccbf49f6a9744cd488e99497fc1360be38f9507214dce3eb299d5bd4b5d2003a2801687e876b50ccbf18ca3c0491e8a03529666d9cd43ac17ec

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
80KB

MD5
02a2e4a2e6b57d510cc86333fdf2340b

SHA1
7713c07de15dc8273ff280ae18650d0b0dde00cc

SHA256
ce2f9a8fb5e64cfa1b796ea55efce1c52c0344279a4ff88b314e7e1416bf7857

SHA512
be2f346d6a402abbef62ef799ad8e1dfac03b8e7817a3842085fdfdcbed4662c11d9a8d1e3141a942f4b951d4d08d021e35beecdbd759aa8f4c0205aaf5744e9

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
80KB

MD5
02a2e4a2e6b57d510cc86333fdf2340b

SHA1
7713c07de15dc8273ff280ae18650d0b0dde00cc

SHA256
ce2f9a8fb5e64cfa1b796ea55efce1c52c0344279a4ff88b314e7e1416bf7857

SHA512
be2f346d6a402abbef62ef799ad8e1dfac03b8e7817a3842085fdfdcbed4662c11d9a8d1e3141a942f4b951d4d08d021e35beecdbd759aa8f4c0205aaf5744e9

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
80KB

MD5
02a2e4a2e6b57d510cc86333fdf2340b

SHA1
7713c07de15dc8273ff280ae18650d0b0dde00cc

SHA256
ce2f9a8fb5e64cfa1b796ea55efce1c52c0344279a4ff88b314e7e1416bf7857

SHA512
be2f346d6a402abbef62ef799ad8e1dfac03b8e7817a3842085fdfdcbed4662c11d9a8d1e3141a942f4b951d4d08d021e35beecdbd759aa8f4c0205aaf5744e9

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
80KB

MD5
623d18a2440bff7541425b7cdb6637e6

SHA1
d2bb701960d041aa9edaf3ad2345f605ce6fcb68

SHA256
666d3bd7688b196b8f22266dabb67897d4d97c116e451a28b4ecd875c66c8fcd

SHA512
c1f7410ef4c9f5e10f3fc9aa8b5cd7b3a579752df21d62bc6986276f0f677bd72bb959e438ed1d103c257ee74540c9bcdc2dbc133698cad588a922183fb946c1

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
80KB

MD5
623d18a2440bff7541425b7cdb6637e6

SHA1
d2bb701960d041aa9edaf3ad2345f605ce6fcb68

SHA256
666d3bd7688b196b8f22266dabb67897d4d97c116e451a28b4ecd875c66c8fcd

SHA512
c1f7410ef4c9f5e10f3fc9aa8b5cd7b3a579752df21d62bc6986276f0f677bd72bb959e438ed1d103c257ee74540c9bcdc2dbc133698cad588a922183fb946c1

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
80KB

MD5
0d4f0b18ad7522abe31692a15f42dd60

SHA1
cd145d184155a13980e1f0eb870ddf0d8ecd4e3a

SHA256
ab675fef857e0c33bbf583ef712487a6bf972c78a09be2adfa51eb738130e9a1

SHA512
672331efaaec3a2052c00ab78b123bbde180fb3f983a53de55726dafd6e18344f6dd198d2bd6e30d90f095a095f1f2b813d9e790890c58c006696a1c718a77e1

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
80KB

MD5
0d4f0b18ad7522abe31692a15f42dd60

SHA1
cd145d184155a13980e1f0eb870ddf0d8ecd4e3a

SHA256
ab675fef857e0c33bbf583ef712487a6bf972c78a09be2adfa51eb738130e9a1

SHA512
672331efaaec3a2052c00ab78b123bbde180fb3f983a53de55726dafd6e18344f6dd198d2bd6e30d90f095a095f1f2b813d9e790890c58c006696a1c718a77e1

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
80KB

MD5
23cc5bb51f20eecdefff14b05ec0ed72

SHA1
38946e9e57c36178a7f2a30f84905c6bdb936b4a

SHA256
aad6f92459d4c7481639cb5201a1bf7472990e386dac3fa8cf8d8d3abf7fcd01

SHA512
e3f303f61ff7db09f868fccda5d4e2ee4a86b59574c817e82afbbe8f06e4c9282320f0b5dcc70c839985e76e4ff07164745e00c312f4a582f7fe394e995122dd

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
80KB

MD5
23cc5bb51f20eecdefff14b05ec0ed72

SHA1
38946e9e57c36178a7f2a30f84905c6bdb936b4a

SHA256
aad6f92459d4c7481639cb5201a1bf7472990e386dac3fa8cf8d8d3abf7fcd01

SHA512
e3f303f61ff7db09f868fccda5d4e2ee4a86b59574c817e82afbbe8f06e4c9282320f0b5dcc70c839985e76e4ff07164745e00c312f4a582f7fe394e995122dd

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
80KB

MD5
7e3bc24b6c3d589df15abfdeca007677

SHA1
8e38f6469cd3ae27d03da40723bff3aa49cd27f5

SHA256
c9aa1531a72cafb4f0d2dd19d1acfa32d438b9bf9936218f841827dac771f17a

SHA512
14545e47254c0a49890012f4fbbb244bcc33de829979062ee06e9f5fd68a6161d3a2c6157662dd23411f610e1a42005c871eb47f115141d0e07edf5cee200c33

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
80KB

MD5
7e3bc24b6c3d589df15abfdeca007677

SHA1
8e38f6469cd3ae27d03da40723bff3aa49cd27f5

SHA256
c9aa1531a72cafb4f0d2dd19d1acfa32d438b9bf9936218f841827dac771f17a

SHA512
14545e47254c0a49890012f4fbbb244bcc33de829979062ee06e9f5fd68a6161d3a2c6157662dd23411f610e1a42005c871eb47f115141d0e07edf5cee200c33

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
80KB

MD5
bae6a7ed338d6059a4ccefad5f3e9aef

SHA1
c00ac9a9e28a10f05b42de9bb765fc91f152c8b4

SHA256
908c4f974c9c5671fe7b13d5d4c3fb3a29d9622cce7117a48198164424f795b9

SHA512
ea59e3c0996587050718a999372c5faa5a04e3b14df9463cfc72f00877b2e03256a13d31f2bb90436f5f645a6632b1cb922905adbbca3f8f88fd666b7dcb6dce

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
80KB

MD5
bae6a7ed338d6059a4ccefad5f3e9aef

SHA1
c00ac9a9e28a10f05b42de9bb765fc91f152c8b4

SHA256
908c4f974c9c5671fe7b13d5d4c3fb3a29d9622cce7117a48198164424f795b9

SHA512
ea59e3c0996587050718a999372c5faa5a04e3b14df9463cfc72f00877b2e03256a13d31f2bb90436f5f645a6632b1cb922905adbbca3f8f88fd666b7dcb6dce

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
80KB

MD5
b15ede0d15fb86efbde0d8b9f67810ea

SHA1
a6443b77f86374b750312606aa857f05ccf79802

SHA256
c59a7016ed263832334515411913d377b9112c788a994eb68386d9c7e5113f5d

SHA512
a6456b63112f378894b0448c56f897b91769be5f7f6670f24340876e8d1122e2ad580e6b4730000ba77d98b33e98293f38a5964f85c8c2824a985c87cd36c755

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
80KB

MD5
b15ede0d15fb86efbde0d8b9f67810ea

SHA1
a6443b77f86374b750312606aa857f05ccf79802

SHA256
c59a7016ed263832334515411913d377b9112c788a994eb68386d9c7e5113f5d

SHA512
a6456b63112f378894b0448c56f897b91769be5f7f6670f24340876e8d1122e2ad580e6b4730000ba77d98b33e98293f38a5964f85c8c2824a985c87cd36c755

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
80KB

MD5
7e0653cf0f748530cf50545602b113cf

SHA1
43e6c57e5bc6ddcddfef91a4f2ffee24a4011be6

SHA256
49aa3b0386d638c1e15a40c3e8febac694fae25bee89f2b892c6a506e29bc8d9

SHA512
2754d614dea8c7457c087c49a7788073dd124739d719183c6748705d6ff99b05c5f193d576759cdd979f92a5c74cffc88a5c8666875f50facf829c6be7ca1140

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
80KB

MD5
7e0653cf0f748530cf50545602b113cf

SHA1
43e6c57e5bc6ddcddfef91a4f2ffee24a4011be6

SHA256
49aa3b0386d638c1e15a40c3e8febac694fae25bee89f2b892c6a506e29bc8d9

SHA512
2754d614dea8c7457c087c49a7788073dd124739d719183c6748705d6ff99b05c5f193d576759cdd979f92a5c74cffc88a5c8666875f50facf829c6be7ca1140

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
80KB

MD5
b948ae6afa1b60b6b1b659fbb9bfcefb

SHA1
31d13f289e457af231ea9913f8598f4a83fad029

SHA256
73f6d72057e64073b2870a2c3af49f9a3b8f6524ebe0fa83a8f726d6596b5c8e

SHA512
dc7c6edc2f8c8f30353e016d07075ca5f40b59c684bb431e2ae7506948b14bf10327deb4a81e89319e281ed3d4add10872d44b890f46a612f22f885de607a86e

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
80KB

MD5
b948ae6afa1b60b6b1b659fbb9bfcefb

SHA1
31d13f289e457af231ea9913f8598f4a83fad029

SHA256
73f6d72057e64073b2870a2c3af49f9a3b8f6524ebe0fa83a8f726d6596b5c8e

SHA512
dc7c6edc2f8c8f30353e016d07075ca5f40b59c684bb431e2ae7506948b14bf10327deb4a81e89319e281ed3d4add10872d44b890f46a612f22f885de607a86e

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
80KB

MD5
3c69667381d78324d3c3ad4b340a7260

SHA1
44ce48ab6051692a700fa36c8e9a243d53c6d6bc

SHA256
6c0783c971731737d1646de43d2d0aade6cbff17b51c99dc930ba5fa77608f5e

SHA512
f70b4e0f57a806113c429db9591599c44431512287f6d2be91baadb3e9266dd51fb81bc4dfb9ea2c9832b1730ee09ce0f7d6ed42f0719dee52405300fea205e3

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
80KB

MD5
3c69667381d78324d3c3ad4b340a7260

SHA1
44ce48ab6051692a700fa36c8e9a243d53c6d6bc

SHA256
6c0783c971731737d1646de43d2d0aade6cbff17b51c99dc930ba5fa77608f5e

SHA512
f70b4e0f57a806113c429db9591599c44431512287f6d2be91baadb3e9266dd51fb81bc4dfb9ea2c9832b1730ee09ce0f7d6ed42f0719dee52405300fea205e3

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
80KB

MD5
4923b6f597dcd2370164dbff0c51b5e0

SHA1
e8d48dd329371d3260c4d35516604390008b0e49

SHA256
fe3d20c6c4352bccc0341fc98eebbd9a50558e2bdaef2e805ce5e35aa5bf7e77

SHA512
ba8f847966e823f4c6d3e10b515a44960b85b85df5b08f53f096cd450dae425ab8d8551d22ae0a8e6342168ae9f36bcda339453c53b75acfefe47e780537008a

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
80KB

MD5
4923b6f597dcd2370164dbff0c51b5e0

SHA1
e8d48dd329371d3260c4d35516604390008b0e49

SHA256
fe3d20c6c4352bccc0341fc98eebbd9a50558e2bdaef2e805ce5e35aa5bf7e77

SHA512
ba8f847966e823f4c6d3e10b515a44960b85b85df5b08f53f096cd450dae425ab8d8551d22ae0a8e6342168ae9f36bcda339453c53b75acfefe47e780537008a

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
80KB

MD5
5a34e6c1bfb204d6c098fa374f98696b

SHA1
7e43e9303c6546078189b71abd5af5334f706eee

SHA256
54abadd941799c7e5a8543e02950f288ab3ef2f63c92ba101b6c18152d4355e4

SHA512
ff11383e873ee2f19f130afd0eb07c85d412543b9e1af4c146ba938fd96062b3edce1837b2a1ebde1199c395437cff202098b09683f3aad2e2ef1ee65eaad683

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
80KB

MD5
5a34e6c1bfb204d6c098fa374f98696b

SHA1
7e43e9303c6546078189b71abd5af5334f706eee

SHA256
54abadd941799c7e5a8543e02950f288ab3ef2f63c92ba101b6c18152d4355e4

SHA512
ff11383e873ee2f19f130afd0eb07c85d412543b9e1af4c146ba938fd96062b3edce1837b2a1ebde1199c395437cff202098b09683f3aad2e2ef1ee65eaad683

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
80KB

MD5
59703bba808cfab945dbbddc38ca4842

SHA1
ad4626446c6561806a4c317c55c1652b3a0b8062

SHA256
3d448c984cb626aac22d016ae1295c50cf6d0b4978fa7e0ae506b23add7ce803

SHA512
aeb6eb1e0b6497603a9752060b2c6a19d473e07a8dcde4ad726608a20bd653dfb148f7af4a6dc9866b4d0cf18f9504be0d4002d963d6afb25c0d2a2a8b3593d7

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
80KB

MD5
59703bba808cfab945dbbddc38ca4842

SHA1
ad4626446c6561806a4c317c55c1652b3a0b8062

SHA256
3d448c984cb626aac22d016ae1295c50cf6d0b4978fa7e0ae506b23add7ce803

SHA512
aeb6eb1e0b6497603a9752060b2c6a19d473e07a8dcde4ad726608a20bd653dfb148f7af4a6dc9866b4d0cf18f9504be0d4002d963d6afb25c0d2a2a8b3593d7

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
80KB

MD5
b170d82ed88f3b4e267c35326146c8c6

SHA1
5ff32ab40d1b3c8860a8ee8d3bfe138f1437d106

SHA256
880f09b826f403ef57a2bb88bb1ba1751ea071ac01b31b6bf15e30e93195cb8a

SHA512
2b8834d521a48cb9e6e2f42844bc1095c25b161eee9faf3e1bf846119891a051e3b48cbb323a1658801203e756b56f43d05feb656771bab239ef31966da44869

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
80KB

MD5
b170d82ed88f3b4e267c35326146c8c6

SHA1
5ff32ab40d1b3c8860a8ee8d3bfe138f1437d106

SHA256
880f09b826f403ef57a2bb88bb1ba1751ea071ac01b31b6bf15e30e93195cb8a

SHA512
2b8834d521a48cb9e6e2f42844bc1095c25b161eee9faf3e1bf846119891a051e3b48cbb323a1658801203e756b56f43d05feb656771bab239ef31966da44869

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
80KB

MD5
f46c3a8e14d6f64ee1a3b2bbb532a1df

SHA1
21f10343613de90593e58ebb3672d3aa72b1e385

SHA256
5af9b078b1cd825b36c6691cb4965cf942f364928c59de6052ac57b3470c6b2b

SHA512
97ab0cfc05340a9da221e6888e3ad61c7170de4e08d4d159d686f629524d66591e87f7916c835337ded577a58c6844d71afc80e4df422e676de728941f80bb80

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
80KB

MD5
f46c3a8e14d6f64ee1a3b2bbb532a1df

SHA1
21f10343613de90593e58ebb3672d3aa72b1e385

SHA256
5af9b078b1cd825b36c6691cb4965cf942f364928c59de6052ac57b3470c6b2b

SHA512
97ab0cfc05340a9da221e6888e3ad61c7170de4e08d4d159d686f629524d66591e87f7916c835337ded577a58c6844d71afc80e4df422e676de728941f80bb80

Download Submit
memory/228-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads