bfc1a8d2bda05bbab36b3a68c8d1c7c8e8b5b3a6016c8b6d82346acd5b34926d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f6a4c8638cd1f64d5c54a9d08152e0.exe
Size

224KB
MD5

16f6a4c8638cd1f64d5c54a9d08152e0
SHA1

8e72d5f84de27882ea626f498a85658bcffbcf39
SHA256

bfc1a8d2bda05bbab36b3a68c8d1c7c8e8b5b3a6016c8b6d82346acd5b34926d
SHA512

141976fc3b8975ccf32bff149d7cf396e708bd373fc200a4b0b66096b01c5f078a49731e3b73cedbb82be4b53276933434056d7baa76edb3130c91de3f9248db
SSDEEP

6144:4O2aKjqBFfIWu6BSllf7Qbuv3p30u6BSl:cOBFY6BwUbmP6B

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqkmjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhndldcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdjdh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abhimnma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfcikek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adpkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahlgfdeq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhgmpfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coelaaoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhfipcid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okikfagn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfahhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckccgane.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abhimnma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhiffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngnbgplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgeefbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjbgnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmfgjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnqkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bocolb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfoocjfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdjdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcnbablo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albjlcao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnopfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemgilhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgpappk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombapedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjbgnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Albjlcao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bblogakg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjadmnic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckoilb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlphkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacgdhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombapedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdneebf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpgpkcpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjebn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgnke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfcikek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocnbmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacgdhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpolo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojolhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pogclp32.exe

Executes dropped EXE 64 IoCs

pid	Process
3040	Mlmlecec.exe
2844	Nefpnhlc.exe
2708	Nlphkb32.exe
2832	Ncjqhmkm.exe
2628	Nhfipcid.exe
2640	Nncahjgl.exe
1780	Nhiffc32.exe
2784	Nocnbmoo.exe
3024	Ngnbgplj.exe
2024	Nacgdhlp.exe
800	Ngpolo32.exe
700	Ojolhk32.exe
1500	Ocgpappk.exe
2072	Onmdoioa.exe
2112	Ombapedi.exe
2012	Obojhlbq.exe
1792	Omdneebf.exe
1104	Ofmbnkhg.exe
1776	Okikfagn.exe
956	Pfoocjfd.exe
1160	Pogclp32.exe
556	Pedleg32.exe
1712	Pjadmnic.exe
2332	Pqkmjh32.exe
2524	Pgeefbhm.exe
2948	Pmanoifd.exe
1316	Pfjbgnme.exe
2744	Pmdjdh32.exe
2584	Pcnbablo.exe
2140	Pjhknm32.exe
3032	Qmfgjh32.exe
2496	Qcpofbjl.exe
588	Qjjgclai.exe
1284	Qpgpkcpp.exe
2176	Qfahhm32.exe
396	Alnqqd32.exe
1464	Abhimnma.exe
2256	Ahdaee32.exe
1736	Abjebn32.exe
1940	Ahgnke32.exe
2724	Albjlcao.exe
2748	Abmbhn32.exe
2792	Adnopfoj.exe
1380	Ajhgmpfg.exe
472	Amfcikek.exe
1620	Adpkee32.exe
2152	Ahlgfdeq.exe
1808	Amhpnkch.exe
1624	Bdbhke32.exe
1156	Bhndldcn.exe
1600	Bmkmdk32.exe
2980	Bbhela32.exe
2968	Bmmiij32.exe
876	Bpleef32.exe
2460	Bfenbpec.exe
2348	Blbfjg32.exe
1816	Bpnbkeld.exe
988	Bblogakg.exe
1960	zmstage.exe
2276	Bocolb32.exe
2812	Bemgilhh.exe
2052	Bhkdeggl.exe
1868	Coelaaoi.exe
1688	Cdbdjhmp.exe

Loads dropped DLL 64 IoCs

pid	Process
2528	16f6a4c8638cd1f64d5c54a9d08152e0.exe
2528	16f6a4c8638cd1f64d5c54a9d08152e0.exe
3040	Mlmlecec.exe
3040	Mlmlecec.exe
2844	Nefpnhlc.exe
2844	Nefpnhlc.exe
2708	Nlphkb32.exe
2708	Nlphkb32.exe
2832	Ncjqhmkm.exe
2832	Ncjqhmkm.exe
2628	Nhfipcid.exe
2628	Nhfipcid.exe
2640	Nncahjgl.exe
2640	Nncahjgl.exe
1780	Nhiffc32.exe
1780	Nhiffc32.exe
2784	Nocnbmoo.exe
2784	Nocnbmoo.exe
3024	Ngnbgplj.exe
3024	Ngnbgplj.exe
2024	Nacgdhlp.exe
2024	Nacgdhlp.exe
800	Ngpolo32.exe
800	Ngpolo32.exe
700	Ojolhk32.exe
700	Ojolhk32.exe
1500	Ocgpappk.exe
1500	Ocgpappk.exe
2072	Onmdoioa.exe
2072	Onmdoioa.exe
2112	Ombapedi.exe
2112	Ombapedi.exe
2012	Obojhlbq.exe
2012	Obojhlbq.exe
1792	Omdneebf.exe
1792	Omdneebf.exe
1104	Ofmbnkhg.exe
1104	Ofmbnkhg.exe
1776	Okikfagn.exe
1776	Okikfagn.exe
956	Pfoocjfd.exe
956	Pfoocjfd.exe
1160	Pogclp32.exe
1160	Pogclp32.exe
556	Pedleg32.exe
556	Pedleg32.exe
1712	Pjadmnic.exe
1712	Pjadmnic.exe
2332	Pqkmjh32.exe
2332	Pqkmjh32.exe
2524	Pgeefbhm.exe
2524	Pgeefbhm.exe
2948	Pmanoifd.exe
2948	Pmanoifd.exe
1316	Pfjbgnme.exe
1316	Pfjbgnme.exe
2744	Pmdjdh32.exe
2744	Pmdjdh32.exe
2584	Pcnbablo.exe
2584	Pcnbablo.exe
2140	Pjhknm32.exe
2140	Pjhknm32.exe
3032	Qmfgjh32.exe
3032	Qmfgjh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mijgof32.dll	Obojhlbq.exe
File created	C:\Windows\SysWOW64\Pedleg32.exe	Pogclp32.exe
File created	C:\Windows\SysWOW64\Albjlcao.exe	Ahgnke32.exe
File created	C:\Windows\SysWOW64\Bfenbpec.exe	Bpleef32.exe
File created	C:\Windows\SysWOW64\Bnilfo32.dll	Pmdjdh32.exe
File created	C:\Windows\SysWOW64\Jjifqd32.dll	Ahgnke32.exe
File created	C:\Windows\SysWOW64\Bbhela32.exe	Bmkmdk32.exe
File created	C:\Windows\SysWOW64\Nanbpedg.dll	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Amkoie32.dll	Okikfagn.exe
File created	C:\Windows\SysWOW64\Fbgkoe32.dll	Bdbhke32.exe
File opened for modification	C:\Windows\SysWOW64\Bblogakg.exe	Bpnbkeld.exe
File opened for modification	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Nlphkb32.exe	Nefpnhlc.exe
File created	C:\Windows\SysWOW64\Ajdplfmo.dll	Adnopfoj.exe
File created	C:\Windows\SysWOW64\Dkjgaecj.dll	Amfcikek.exe
File opened for modification	C:\Windows\SysWOW64\Bhigphio.exe	Bblogakg.exe
File created	C:\Windows\SysWOW64\Nadddkfi.dll	Ojolhk32.exe
File opened for modification	C:\Windows\SysWOW64\Pcnbablo.exe	Pmdjdh32.exe
File created	C:\Windows\SysWOW64\Iakdqgfi.dll	Qpgpkcpp.exe
File created	C:\Windows\SysWOW64\Cklmgb32.exe	Chnqkg32.exe
File created	C:\Windows\SysWOW64\Onmdoioa.exe	Ocgpappk.exe
File created	C:\Windows\SysWOW64\Kckmmp32.dll	Abjebn32.exe
File created	C:\Windows\SysWOW64\Bmkmdk32.exe	Bhndldcn.exe
File opened for modification	C:\Windows\SysWOW64\Bhkdeggl.exe	Bemgilhh.exe
File opened for modification	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Ckccgane.exe	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Adpkee32.exe	Amfcikek.exe
File created	C:\Windows\SysWOW64\Gjhfbach.dll	Chbjffad.exe
File opened for modification	C:\Windows\SysWOW64\Bocolb32.exe	Bldcpf32.exe
File created	C:\Windows\SysWOW64\Mdkjlm32.dll	Nlphkb32.exe
File created	C:\Windows\SysWOW64\Bbnhbg32.dll	Nncahjgl.exe
File created	C:\Windows\SysWOW64\Ngpolo32.exe	Nacgdhlp.exe
File created	C:\Windows\SysWOW64\Ojolhk32.exe	Ngpolo32.exe
File created	C:\Windows\SysWOW64\Mcaiqm32.dll	Ofmbnkhg.exe
File created	C:\Windows\SysWOW64\Pmanoifd.exe	Pgeefbhm.exe
File created	C:\Windows\SysWOW64\Fehofegb.dll	Alnqqd32.exe
File created	C:\Windows\SysWOW64\Mclgfa32.dll	Bpleef32.exe
File opened for modification	C:\Windows\SysWOW64\Cddaphkn.exe	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Qpgpkcpp.exe	Qjjgclai.exe
File created	C:\Windows\SysWOW64\Phccmbca.dll	Amhpnkch.exe
File opened for modification	C:\Windows\SysWOW64\Bhndldcn.exe	Bdbhke32.exe
File created	C:\Windows\SysWOW64\Dcadac32.exe	Dlgldibq.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Nneloe32.dll	Ngpolo32.exe
File created	C:\Windows\SysWOW64\Opfdll32.dll	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkmdk32.exe	Bhndldcn.exe
File created	C:\Windows\SysWOW64\Bpleef32.exe	Bmmiij32.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Dgjclbdi.exe
File created	C:\Windows\SysWOW64\Blopagpd.dll	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Hoogfn32.dll	Ebjglbml.exe
File opened for modification	C:\Windows\SysWOW64\Qmfgjh32.exe	Pjhknm32.exe
File created	C:\Windows\SysWOW64\Abjebn32.exe	Ahdaee32.exe
File opened for modification	C:\Windows\SysWOW64\Chnqkg32.exe	Cdbdjhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ckoilb32.exe	Cddaphkn.exe
File opened for modification	C:\Windows\SysWOW64\Ckafbbph.exe	Chbjffad.exe
File opened for modification	C:\Windows\SysWOW64\Dlgldibq.exe	Djhphncm.exe
File created	C:\Windows\SysWOW64\Pjhknm32.exe	Pcnbablo.exe
File opened for modification	C:\Windows\SysWOW64\Dccagcgk.exe	Dpeekh32.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Eqijej32.exe
File opened for modification	C:\Windows\SysWOW64\Mlmlecec.exe	16f6a4c8638cd1f64d5c54a9d08152e0.exe
File created	C:\Windows\SysWOW64\Fgefik32.dll	Onmdoioa.exe
File created	C:\Windows\SysWOW64\Bdbhke32.exe	Amhpnkch.exe
File created	C:\Windows\SysWOW64\Qbgpffch.dll	Cdlgpgef.exe

Program crash 1 IoCs

pid	pid_target	Process
3616	3592	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlmlecec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll"	Ofmbnkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll"	Qjjgclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhknm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfahhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdaee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll"	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll"	Bldcpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakdqgfi.dll"	Qpgpkcpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfahhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll"	Qfahhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmmiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcnbablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjebn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coelaaoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	16f6a4c8638cd1f64d5c54a9d08152e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnopfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfenbpec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll"	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pedleg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abhimnma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcadac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nefpnhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngnbgplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojolhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll"	Onmdoioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojolhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfenbpec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcadac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabih32.dll"	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cahail32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll"	Nlphkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll"	Nacgdhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhgmpfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll"	Pmdjdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahlgfdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijgof32.dll"	Obojhlbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll"	Pjadmnic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll"	Bmkmdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll"	Ahgnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	zmstage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll"	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacgdhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll"	Ojolhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3040	2528	16f6a4c8638cd1f64d5c54a9d08152e0.exe	109
PID 2528 wrote to memory of 3040	2528	16f6a4c8638cd1f64d5c54a9d08152e0.exe	109
PID 2528 wrote to memory of 3040	2528	16f6a4c8638cd1f64d5c54a9d08152e0.exe	109
PID 2528 wrote to memory of 3040	2528	16f6a4c8638cd1f64d5c54a9d08152e0.exe	109
PID 3040 wrote to memory of 2844	3040	Mlmlecec.exe	108
PID 3040 wrote to memory of 2844	3040	Mlmlecec.exe	108
PID 3040 wrote to memory of 2844	3040	Mlmlecec.exe	108
PID 3040 wrote to memory of 2844	3040	Mlmlecec.exe	108
PID 2844 wrote to memory of 2708	2844	Nefpnhlc.exe	107
PID 2844 wrote to memory of 2708	2844	Nefpnhlc.exe	107
PID 2844 wrote to memory of 2708	2844	Nefpnhlc.exe	107
PID 2844 wrote to memory of 2708	2844	Nefpnhlc.exe	107
PID 2708 wrote to memory of 2832	2708	Nlphkb32.exe	14
PID 2708 wrote to memory of 2832	2708	Nlphkb32.exe	14
PID 2708 wrote to memory of 2832	2708	Nlphkb32.exe	14
PID 2708 wrote to memory of 2832	2708	Nlphkb32.exe	14
PID 2832 wrote to memory of 2628	2832	Ncjqhmkm.exe	106
PID 2832 wrote to memory of 2628	2832	Ncjqhmkm.exe	106
PID 2832 wrote to memory of 2628	2832	Ncjqhmkm.exe	106
PID 2832 wrote to memory of 2628	2832	Ncjqhmkm.exe	106
PID 2628 wrote to memory of 2640	2628	Nhfipcid.exe	105
PID 2628 wrote to memory of 2640	2628	Nhfipcid.exe	105
PID 2628 wrote to memory of 2640	2628	Nhfipcid.exe	105
PID 2628 wrote to memory of 2640	2628	Nhfipcid.exe	105
PID 2640 wrote to memory of 1780	2640	Nncahjgl.exe	104
PID 2640 wrote to memory of 1780	2640	Nncahjgl.exe	104
PID 2640 wrote to memory of 1780	2640	Nncahjgl.exe	104
PID 2640 wrote to memory of 1780	2640	Nncahjgl.exe	104
PID 1780 wrote to memory of 2784	1780	Nhiffc32.exe	103
PID 1780 wrote to memory of 2784	1780	Nhiffc32.exe	103
PID 1780 wrote to memory of 2784	1780	Nhiffc32.exe	103
PID 1780 wrote to memory of 2784	1780	Nhiffc32.exe	103
PID 2784 wrote to memory of 3024	2784	Nocnbmoo.exe	102
PID 2784 wrote to memory of 3024	2784	Nocnbmoo.exe	102
PID 2784 wrote to memory of 3024	2784	Nocnbmoo.exe	102
PID 2784 wrote to memory of 3024	2784	Nocnbmoo.exe	102
PID 3024 wrote to memory of 2024	3024	Ngnbgplj.exe	101
PID 3024 wrote to memory of 2024	3024	Ngnbgplj.exe	101
PID 3024 wrote to memory of 2024	3024	Ngnbgplj.exe	101
PID 3024 wrote to memory of 2024	3024	Ngnbgplj.exe	101
PID 2024 wrote to memory of 800	2024	Nacgdhlp.exe	100
PID 2024 wrote to memory of 800	2024	Nacgdhlp.exe	100
PID 2024 wrote to memory of 800	2024	Nacgdhlp.exe	100
PID 2024 wrote to memory of 800	2024	Nacgdhlp.exe	100
PID 800 wrote to memory of 700	800	Ngpolo32.exe	99
PID 800 wrote to memory of 700	800	Ngpolo32.exe	99
PID 800 wrote to memory of 700	800	Ngpolo32.exe	99
PID 800 wrote to memory of 700	800	Ngpolo32.exe	99
PID 700 wrote to memory of 1500	700	Ojolhk32.exe	98
PID 700 wrote to memory of 1500	700	Ojolhk32.exe	98
PID 700 wrote to memory of 1500	700	Ojolhk32.exe	98
PID 700 wrote to memory of 1500	700	Ojolhk32.exe	98
PID 1500 wrote to memory of 2072	1500	Ocgpappk.exe	15
PID 1500 wrote to memory of 2072	1500	Ocgpappk.exe	15
PID 1500 wrote to memory of 2072	1500	Ocgpappk.exe	15
PID 1500 wrote to memory of 2072	1500	Ocgpappk.exe	15
PID 2072 wrote to memory of 2112	2072	Onmdoioa.exe	97
PID 2072 wrote to memory of 2112	2072	Onmdoioa.exe	97
PID 2072 wrote to memory of 2112	2072	Onmdoioa.exe	97
PID 2072 wrote to memory of 2112	2072	Onmdoioa.exe	97
PID 2112 wrote to memory of 2012	2112	Ombapedi.exe	96
PID 2112 wrote to memory of 2012	2112	Ombapedi.exe	96
PID 2112 wrote to memory of 2012	2112	Ombapedi.exe	96
PID 2112 wrote to memory of 2012	2112	Ombapedi.exe	96

C:\Windows\SysWOW64\Ncjqhmkm.exe
C:\Windows\system32\Ncjqhmkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\Nhfipcid.exe
  C:\Windows\system32\Nhfipcid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628

C:\Windows\SysWOW64\Onmdoioa.exe
C:\Windows\system32\Onmdoioa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Ombapedi.exe
  C:\Windows\system32\Ombapedi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2112

C:\Windows\SysWOW64\Omdneebf.exe
C:\Windows\system32\Omdneebf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1792
- C:\Windows\SysWOW64\Ofmbnkhg.exe
  C:\Windows\system32\Ofmbnkhg.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1104
- - C:\Windows\SysWOW64\Okikfagn.exe
    C:\Windows\system32\Okikfagn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1776

C:\Windows\SysWOW64\Pmanoifd.exe
C:\Windows\system32\Pmanoifd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948
- C:\Windows\SysWOW64\Pfjbgnme.exe
  C:\Windows\system32\Pfjbgnme.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1316
- - C:\Windows\SysWOW64\Pmdjdh32.exe
    C:\Windows\system32\Pmdjdh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:2744
  - - C:\Windows\SysWOW64\Pcnbablo.exe
      C:\Windows\system32\Pcnbablo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      PID:2584

C:\Windows\SysWOW64\Pjhknm32.exe
C:\Windows\system32\Pjhknm32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2140
- C:\Windows\SysWOW64\Qmfgjh32.exe
  C:\Windows\system32\Qmfgjh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3032

C:\Windows\SysWOW64\Qcpofbjl.exe
C:\Windows\system32\Qcpofbjl.exe
1⤵
- Executes dropped EXE
PID:2496
- C:\Windows\SysWOW64\Qjjgclai.exe
  C:\Windows\system32\Qjjgclai.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:588
- - C:\Windows\SysWOW64\Qpgpkcpp.exe
    C:\Windows\system32\Qpgpkcpp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1284
  - - C:\Windows\SysWOW64\Qfahhm32.exe
      C:\Windows\system32\Qfahhm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:2176
    - - C:\Windows\SysWOW64\Alnqqd32.exe
        
        C:\Windows\system32\Alnqqd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396

C:\Windows\SysWOW64\Ahdaee32.exe
C:\Windows\system32\Ahdaee32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2256
- C:\Windows\SysWOW64\Abjebn32.exe
  C:\Windows\system32\Abjebn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1736
- - C:\Windows\SysWOW64\Ahgnke32.exe
    C:\Windows\system32\Ahgnke32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1940

C:\Windows\SysWOW64\Albjlcao.exe
C:\Windows\system32\Albjlcao.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724
- C:\Windows\SysWOW64\Abmbhn32.exe
  C:\Windows\system32\Abmbhn32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2748

C:\Windows\SysWOW64\Ahlgfdeq.exe
C:\Windows\system32\Ahlgfdeq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2152
- C:\Windows\SysWOW64\Amhpnkch.exe
  C:\Windows\system32\Amhpnkch.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1808

C:\Windows\SysWOW64\Bbhela32.exe
C:\Windows\system32\Bbhela32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980
- C:\Windows\SysWOW64\Bmmiij32.exe
  C:\Windows\system32\Bmmiij32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2968

C:\Windows\SysWOW64\Bblogakg.exe
C:\Windows\system32\Bblogakg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:988
- C:\Windows\SysWOW64\Bhigphio.exe
  C:\Windows\system32\Bhigphio.exe
  2⤵
  PID:1960

C:\Windows\SysWOW64\Bldcpf32.exe
C:\Windows\system32\Bldcpf32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:3056
- C:\Windows\SysWOW64\Bocolb32.exe
  C:\Windows\system32\Bocolb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:2276

C:\Windows\SysWOW64\Chnqkg32.exe
C:\Windows\system32\Chnqkg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2604
- C:\Windows\SysWOW64\Cklmgb32.exe
  C:\Windows\system32\Cklmgb32.exe
  2⤵
  - Modifies registry class
  PID:1980
- - C:\Windows\SysWOW64\Cafecmlj.exe
    C:\Windows\system32\Cafecmlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:2400

C:\Windows\SysWOW64\Cdikkg32.exe
C:\Windows\system32\Cdikkg32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1544
- C:\Windows\SysWOW64\Ckccgane.exe
  C:\Windows\system32\Ckccgane.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3044
- - C:\Windows\SysWOW64\Cldooj32.exe
    C:\Windows\system32\Cldooj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:1300

C:\Windows\SysWOW64\Dcadac32.exe
C:\Windows\system32\Dcadac32.exe
1⤵
- Modifies registry class
PID:2404
- C:\Windows\SysWOW64\Dfoqmo32.exe
  C:\Windows\system32\Dfoqmo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3108

C:\Windows\SysWOW64\Dccagcgk.exe
C:\Windows\system32\Dccagcgk.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:3228
- C:\Windows\SysWOW64\Dfamcogo.exe
  C:\Windows\system32\Dfamcogo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:3268
- - C:\Windows\SysWOW64\Egllae32.exe
    C:\Windows\system32\Egllae32.exe
    3⤵
    - Modifies registry class
    PID:3312
  - - C:\Windows\SysWOW64\Ejmebq32.exe
      C:\Windows\system32\Ejmebq32.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:3352

C:\Windows\SysWOW64\Dpeekh32.exe
C:\Windows\system32\Dpeekh32.exe
1⤵
- Drops file in System32 directory
PID:3188

C:\Windows\SysWOW64\Dhnmij32.exe
C:\Windows\system32\Dhnmij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3148

C:\Windows\SysWOW64\Dlgldibq.exe
C:\Windows\system32\Dlgldibq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504

C:\Windows\SysWOW64\Djhphncm.exe
C:\Windows\system32\Djhphncm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1768

C:\Windows\SysWOW64\Dgjclbdi.exe
C:\Windows\system32\Dgjclbdi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:436

C:\Windows\SysWOW64\Eqijej32.exe
C:\Windows\system32\Eqijej32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3472
- C:\Windows\SysWOW64\Ebjglbml.exe
  C:\Windows\system32\Ebjglbml.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:3512

C:\Windows\SysWOW64\Fjaonpnn.exe
C:\Windows\system32\Fjaonpnn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3552
- C:\Windows\SysWOW64\Fkckeh32.exe
  C:\Windows\system32\Fkckeh32.exe
  2⤵
  PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 140
1⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\Ejobhppq.exe
C:\Windows\system32\Ejobhppq.exe
1⤵
- Modifies registry class
PID:3432

C:\Windows\SysWOW64\Egafleqm.exe
C:\Windows\system32\Egafleqm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392

C:\Windows\SysWOW64\Cdlgpgef.exe
C:\Windows\system32\Cdlgpgef.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2364

C:\Windows\SysWOW64\Caknol32.exe
C:\Windows\system32\Caknol32.exe
1⤵
PID:2988

C:\Windows\SysWOW64\Ckafbbph.exe
C:\Windows\system32\Ckafbbph.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:1732

C:\Windows\SysWOW64\Chbjffad.exe
C:\Windows\system32\Chbjffad.exe
1⤵
- Drops file in System32 directory
PID:1032

C:\Windows\SysWOW64\Cahail32.exe
C:\Windows\system32\Cahail32.exe
1⤵
- Modifies registry class
PID:1988

C:\Windows\SysWOW64\Ckoilb32.exe
C:\Windows\system32\Ckoilb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1596

C:\Windows\SysWOW64\Cddaphkn.exe
C:\Windows\system32\Cddaphkn.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:688

C:\Windows\SysWOW64\Cdbdjhmp.exe
C:\Windows\system32\Cdbdjhmp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688

C:\Windows\SysWOW64\Coelaaoi.exe
C:\Windows\system32\Coelaaoi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1868

C:\Windows\SysWOW64\Bhkdeggl.exe
C:\Windows\system32\Bhkdeggl.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\SysWOW64\Bemgilhh.exe
C:\Windows\system32\Bemgilhh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2812

C:\Windows\SysWOW64\Bpnbkeld.exe
C:\Windows\system32\Bpnbkeld.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1816

C:\Windows\SysWOW64\Blbfjg32.exe
C:\Windows\system32\Blbfjg32.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\Bfenbpec.exe
C:\Windows\system32\Bfenbpec.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2460

C:\Windows\SysWOW64\Bpleef32.exe
C:\Windows\system32\Bpleef32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:876

C:\Windows\SysWOW64\Bmkmdk32.exe
C:\Windows\system32\Bmkmdk32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1600

C:\Windows\SysWOW64\Bhndldcn.exe
C:\Windows\system32\Bhndldcn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1156

C:\Windows\SysWOW64\Bdbhke32.exe
C:\Windows\system32\Bdbhke32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624

C:\Windows\SysWOW64\Adpkee32.exe
C:\Windows\system32\Adpkee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\Amfcikek.exe
C:\Windows\system32\Amfcikek.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:472

C:\Windows\SysWOW64\Ajhgmpfg.exe
C:\Windows\system32\Ajhgmpfg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1380

C:\Windows\SysWOW64\Adnopfoj.exe
C:\Windows\system32\Adnopfoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2792

C:\Windows\SysWOW64\Abhimnma.exe
C:\Windows\system32\Abhimnma.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1464

C:\Windows\SysWOW64\Pgeefbhm.exe
C:\Windows\system32\Pgeefbhm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524

C:\Windows\SysWOW64\Pqkmjh32.exe
C:\Windows\system32\Pqkmjh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2332

C:\Windows\SysWOW64\Pjadmnic.exe
C:\Windows\system32\Pjadmnic.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712

C:\Windows\SysWOW64\Pedleg32.exe
C:\Windows\system32\Pedleg32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:556

C:\Windows\SysWOW64\Pogclp32.exe
C:\Windows\system32\Pogclp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1160

C:\Windows\SysWOW64\Pfoocjfd.exe
C:\Windows\system32\Pfoocjfd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:956

C:\Windows\SysWOW64\Obojhlbq.exe
C:\Windows\system32\Obojhlbq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2012

C:\Windows\SysWOW64\Ocgpappk.exe
C:\Windows\system32\Ocgpappk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\Ojolhk32.exe
C:\Windows\system32\Ojolhk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\Ngpolo32.exe
C:\Windows\system32\Ngpolo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\Nacgdhlp.exe
C:\Windows\system32\Nacgdhlp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\Ngnbgplj.exe
C:\Windows\system32\Ngnbgplj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\Nocnbmoo.exe
C:\Windows\system32\Nocnbmoo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\Nhiffc32.exe
C:\Windows\system32\Nhiffc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\Nncahjgl.exe
C:\Windows\system32\Nncahjgl.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\Nlphkb32.exe
C:\Windows\system32\Nlphkb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Nefpnhlc.exe
C:\Windows\system32\Nefpnhlc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\Mlmlecec.exe
C:\Windows\system32\Mlmlecec.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\16f6a4c8638cd1f64d5c54a9d08152e0.exe
"C:\Users\Admin\AppData\Local\Temp\16f6a4c8638cd1f64d5c54a9d08152e0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\577193805\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\577193805\zmstage.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dccagcgk.exe

Filesize
224KB

MD5
029392edd99c9c4309926f63aa3c775e

SHA1
7426f66ac8412e6d53d6bd210bdf30683bb742cc

SHA256
2b2585c3a2629f2fbca7c0c9e193060e7a7158760a023d87b2e7e2aba5534018

SHA512
e2275ece3b0174cdf122cf8877f39d3c31bbbad29793e821c9df3ab414cf812043d14c2052ce05513674cf3db9ef8d28aef2b48986e9fa6e7dd1f0f7c8beb61d

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
224KB

MD5
86e95cf2447b2bc5f769eef8a4403db6

SHA1
d49fdccd734e24dc52a9d7907f9183d2ec428da1

SHA256
209e501cddcbd79be76e61ccd4bfcaa43d0ee7881925ed817e661416d9843981

SHA512
ba7c83af1fded26eb8c0dd0b3b340708b2f121a014191287972584d04de9cb7cc17b1afd7a8a163a78f8569a376a00f39fef5f0272388baad585ae02d0f8bdd3

Download Submit
C:\Windows\SysWOW64\Dpeekh32.exe

Filesize
224KB

MD5
b5cd6651a23998f0530fad8d36ff261e

SHA1
eb12f03fb2d2051ef0c5605bf37631c5bbe96ac7

SHA256
c245040c253a33643ca6d55a9a0c7055d3ecf73adb007da2f0ed4cf406bb4cba

SHA512
b9c7aae5aa29143ecbafe79a04284cf9038f2076dec8d4f49ca70e24c163b86b0fc900847e2edf842b1cd20d91cf5f836218edb41c2990f5eb003a170d24e7b4

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
224KB

MD5
56cafb6fb4e678655d216121afabd375

SHA1
4a3889ed942de7ee19395ac9629a52490f1b81b5

SHA256
04ceb1db081467ea961d6f9582224b88ce7dd5743421a15b7e56471bd52ef4c1

SHA512
0fa8462e71fd5f43a512ba57b4096eca683abaeaa194ca2aa0380eb46df63db044795beb347d77af73af6fb0337c53ddf397dee42126e195574a6cddef69c4db

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
224KB

MD5
bd5eea4eda12097b380f47c246d74f64

SHA1
8506c6d20ff2fdb192bfa4db93e6a604a3a9f9e1

SHA256
54854abe731841fabc891ac00f85531767ae3835f005b186869e9e13aa1696f1

SHA512
8b481de80a0fd882370c8bf127a4aaa425de58491b98a105ea11d8a9e3598569080602db4498748312a8d60a6cf91a42976743e85a081c44f1041774a86e2ffa

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
224KB

MD5
43b264c752eef27ff7f3de3a43edb13e

SHA1
75c0e15b6e0b78dcf81f7816e401556d93eeeb0e

SHA256
2a21f2c0f288d36cf0c4e324bb266688247850e37a8adc6c5aa629638cb29fd2

SHA512
c8605f85dfcc2996fc7e42019e3d8025d36f083db43237e430730fa23cf28fbc7ff300d904e6144439c60059cdb7df3c5660a32cc30c7e03cb0209cf17b59d51

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
224KB

MD5
20d2eb5723d159a04c6ee446b4317125

SHA1
2ddd7c31662fc15d54ae6552a328675dc32e104a

SHA256
002c62a8d50da9903d8e40a4605f8c322694bfe0f11390a1deca332f2e51355e

SHA512
21e3fc11ebf5ba7c44e34b18b38cfdf0b83ea1229baf73e03a053c9ea0062261a553aed01bdbfcba0f82dd9b64d788d8beca188d60a41cec2c136593dc2e1a57

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
224KB

MD5
c656b15d0bbb7f25757a75fccd7cfc36

SHA1
7f2563c38ad27b8bfae9603a559522810d66b227

SHA256
0921a7a5137ed5a00d0b5b9975b937991707497edbe5491453b5b154a94ffd15

SHA512
6cbd4c8b04a44e03c332e48bbd38c3be66bebeb6cfe4ffb2f6e2ce8838387e6f3e84b3633d1f694d2a707af66a666def73c618c427a15d32318bd7696061b260

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
224KB

MD5
8d25469fa02f78f3417b740b8520c15a

SHA1
84482025f37df8e4a14bc00cee3b3ff026afae3b

SHA256
a1bd6496f2d6b1e453a0a953000ba0ceff103ed42b01437d6a656fd734842420

SHA512
0b646fe91d5da0983d9403d17d5b67fb29d30df67a5e5a9c93ce6673779a1b604cca911072200673e299161bcd828446608ae72276a1711b975a648ad6ba9a42

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
224KB

MD5
cf17d95e942a11b7943fded40d8a4ff6

SHA1
73d1bc72053c2bebc13b59b9a5943279f5d80ecc

SHA256
09748df6494d0471847c578146c4ff4df1109077d9ceae3750d72a8c8f6236ad

SHA512
e17246ce1e05435476569a61eb46039bc5e4b422403c1bfc2f318e01ccd95782d1af36b4d15741981f01c1df34bf32ef2bf94eb62de0a549133e863bff0fefcd

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
224KB

MD5
ecc678b86168dab6f74ddbb460403c4d

SHA1
b825e51eb922c8996b7d7ed25634f4b7dac97d86

SHA256
b33d120783e0f03632a878457d759f18d23c5360daa93200e14cb61f92f8048e

SHA512
adcb87925823c19abe4e91569b89eaf3afe891ddaa342f308906244ee23ca5f50766783b909c5fd736e509f92c3ee845b0f83e0c121603ba0fbbdfb37f314310

Download Submit
C:\Windows\SysWOW64\Mlmlecec.exe

Filesize
224KB

MD5
b5c726d4da97e98f46dd4503ec8be4a9

SHA1
0aed6fad8dd141aa2103a6eab40a524d3dee4d54

SHA256
0309e043e3b50e910d8b85057af9d1333a93660123a068ae5b6ac86df640f83e

SHA512
b38b14129c070641f042ebbacd4a020a2a3c5d4e8a2b62db596dea94dfffe833e9672ddc9c0346876af68085fecc49bd9c52b0197a153e73f0e6cccdf9086d81

Download Submit
C:\Windows\SysWOW64\Nefpnhlc.exe

Filesize
224KB

MD5
a7c17405dc500389d2140382fbbc9e9d

SHA1
cf9a9d268373ae03567f309aa6c94b42ced6878f

SHA256
d249d21e0737fdded29c11e6148b613634402aaa3906420f4075694f2b32c356

SHA512
3a332306752c90616e258de1425bed2906033fc17188fdf362223adc07871f5136498d1e0ecbc53bf3b29fb7e0dd857fd8aaeed6c8f73f2584667a2692b9e4bc

Download Submit
\Windows\SysWOW64\Nefpnhlc.exe

Filesize
91KB

MD5
80ff0e70f6f4781113e13e7c25f6c676

SHA1
958fe6c47562eae5f17ddfb4a890f01b07ec58e9

SHA256
a16f3f95a57de6e0261931e8a3dd6db069e4e76c364af76221cfea7cb87776a3

SHA512
7b474fe0948b4335dc3aa56db81fefd14c3f7b459875aea12329007bc95a53d8ff74108672e5a14dc598533f6e299c93ea730934972062b4ab3fa0f009a8da8e

Download Submit
memory/556-299-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/556-294-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/556-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-1064-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-170-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/700-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-161-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/800-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-1051-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-272-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/956-273-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1104-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-252-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1104-248-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1160-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-1052-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-288-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1160-283-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1316-355-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1316-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-349-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1464-1068-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-188-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

Filesize
208KB

Download
memory/1500-195-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

Filesize
208KB

Download
memory/1712-305-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1712-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-310-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1776-267-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1776-1050-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-261-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1780-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-101-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1792-245-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1792-240-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1960-1090-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-231-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2012-227-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2012-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-152-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2024-146-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2024-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-204-0x0000000001B70000-0x0000000001BA4000-memory.dmp

Filesize
208KB

Download
memory/2072-205-0x0000000001B70000-0x0000000001BA4000-memory.dmp

Filesize
208KB

Download
memory/2112-219-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2112-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-1078-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-1066-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-1096-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-316-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2332-321-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2332-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-332-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2524-327-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2524-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2528-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2628-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-87-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2724-1072-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-1059-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-114-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2792-1074-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-35-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2948-343-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2948-338-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2948-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-127-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3040-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-22-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3056-1091-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads