4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe
Size

107KB
MD5

d8b3deb85641b93d8780dad5272b4d21
SHA1

40584e21f2bdd41d86e34ce45212ebb7a9c0e913
SHA256

4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d
SHA512

dd76b3ea3f6e26bea974c539760012244ac474cf08e54d3e3bc35e9d3cc252976ac1a1b93488aad502c268902136744e329eb8e634639c7398c08787c87e32c6
SSDEEP

1536:WWv3dU8AK4262AvOpGiDDoy7jGchaoh4v/5i2LWaIZTJ+7LhkiB0MPiKeEAgHD/J:WWV+u6HqZe4g3lWaMU7uihJ5233y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fniihmpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Figgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqhjggp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcaod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqbcbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kolabf32.exe

Executes dropped EXE 64 IoCs

pid	Process
1952	Pmiikh32.exe
1484	Pnkbkk32.exe
1720	Pffgom32.exe
896	Palklf32.exe
2224	Pnplfj32.exe
3612	Qfkqjmdg.exe
3056	Qhjmdp32.exe
4848	Qacameaj.exe
4776	Aphnnafb.exe
2684	Adfgdpmi.exe
4016	Amnlme32.exe
452	Akblfj32.exe
984	Aopemh32.exe
4356	Bgkiaj32.exe
2444	Bdojjo32.exe
1864	Bmhocd32.exe
1772	Bhmbqm32.exe
1116	Bphgeo32.exe
4484	Bhblllfo.exe
4728	Chdialdl.exe
1984	Cammjakm.exe
3864	Ckebcg32.exe
4488	Cnfkdb32.exe
4900	Cacckp32.exe
4108	Cklhcfle.exe
4456	Dkndie32.exe
3468	Ddgibkpc.exe
1216	Dakikoom.exe
4628	Doojec32.exe
2184	Dqbcbkab.exe
2780	Enfckp32.exe
2284	Edbiniff.exe
3664	Egcaod32.exe
1456	Ehbnigjj.exe
2848	Eghkjdoa.exe
2968	Figgdg32.exe
3784	Fgmdec32.exe
2496	Fqeioiam.exe
1264	Fniihmpf.exe
2164	Fkmjaa32.exe
1552	Fiqjke32.exe
4720	Gicgpelg.exe
900	Gejhef32.exe
5112	Gaqhjggp.exe
540	Gbbajjlp.exe
5036	Hiacacpg.exe
5148	Hpmhdmea.exe
5188	Iijfhbhl.exe
5236	Iojkeh32.exe
5280	Jhifomdj.exe
5320	Jocnlg32.exe
5360	Jadgnb32.exe
5404	Jpegkj32.exe
5448	Jafdcbge.exe
5488	Kolabf32.exe
5532	Kibeoo32.exe
5580	Kpqggh32.exe
5624	Kcapicdj.exe
5668	Lohqnd32.exe
5712	Lebijnak.exe
5756	Ljpaqmgb.exe
5800	Lchfib32.exe
5844	Loacdc32.exe
5888	Mledmg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Biafno32.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Nbbeml32.exe	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Mcaipa32.exe	Mablfnne.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Mqhfoebo.exe
File opened for modification	C:\Windows\SysWOW64\Egcaod32.exe	Edbiniff.exe
File created	C:\Windows\SysWOW64\Dakikoom.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Jafdcbge.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Momcpa32.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Pnplfj32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Qhjmdp32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Oiccje32.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Pmiikh32.exe
File opened for modification	C:\Windows\SysWOW64\Gaqhjggp.exe	Gejhef32.exe
File created	C:\Windows\SysWOW64\Amhmnagf.dll	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Mablfnne.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Hgeqca32.dll	Eghkjdoa.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Nmhijd32.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Jhifomdj.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Kolabf32.exe	Jafdcbge.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Khlaie32.dll	Mablfnne.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Nnkoiaif.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Jadgnb32.exe
File created	C:\Windows\SysWOW64\Hpmhdmea.exe	Hiacacpg.exe
File opened for modification	C:\Windows\SysWOW64\Jadgnb32.exe	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Fniihmpf.exe	Fqeioiam.exe
File opened for modification	C:\Windows\SysWOW64\Hiacacpg.exe	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Kibeoo32.exe	Kolabf32.exe
File created	C:\Windows\SysWOW64\Mhoahh32.exe	Mcaipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Iijfhbhl.exe	Hpmhdmea.exe
File created	C:\Windows\SysWOW64\Jclnjo32.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Njljch32.exe
File created	C:\Windows\SysWOW64\Fefmmcgh.dll	Ojnfihmo.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Ehbnigjj.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Ffeifdjo.dll	Fkmjaa32.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mcaipa32.exe
File created	C:\Windows\SysWOW64\Pfepdg32.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Baampdgc.dll	Fniihmpf.exe
File opened for modification	C:\Windows\SysWOW64\Fiqjke32.exe	Fkmjaa32.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Fniihmpf.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Gdgfnm32.dll	Jocnlg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6112	5900	WerFault.exe	191

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejhef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicgpelg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edbiniff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjimp32.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emamkgpg.dll"	Ehbnigjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbbajjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeegfibg.dll"	Dqbcbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcodk32.dll"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doojec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll"	Gejhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dakikoom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicgpelg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lohqnd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1952	4012	4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe	96
PID 4012 wrote to memory of 1952	4012	4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe	96
PID 4012 wrote to memory of 1952	4012	4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe	96
PID 1952 wrote to memory of 1484	1952	Pmiikh32.exe	97
PID 1952 wrote to memory of 1484	1952	Pmiikh32.exe	97
PID 1952 wrote to memory of 1484	1952	Pmiikh32.exe	97
PID 1484 wrote to memory of 1720	1484	Pnkbkk32.exe	98
PID 1484 wrote to memory of 1720	1484	Pnkbkk32.exe	98
PID 1484 wrote to memory of 1720	1484	Pnkbkk32.exe	98
PID 1720 wrote to memory of 896	1720	Pffgom32.exe	99
PID 1720 wrote to memory of 896	1720	Pffgom32.exe	99
PID 1720 wrote to memory of 896	1720	Pffgom32.exe	99
PID 896 wrote to memory of 2224	896	Palklf32.exe	100
PID 896 wrote to memory of 2224	896	Palklf32.exe	100
PID 896 wrote to memory of 2224	896	Palklf32.exe	100
PID 2224 wrote to memory of 3612	2224	Pnplfj32.exe	102
PID 2224 wrote to memory of 3612	2224	Pnplfj32.exe	102
PID 2224 wrote to memory of 3612	2224	Pnplfj32.exe	102
PID 3612 wrote to memory of 3056	3612	Qfkqjmdg.exe	103
PID 3612 wrote to memory of 3056	3612	Qfkqjmdg.exe	103
PID 3612 wrote to memory of 3056	3612	Qfkqjmdg.exe	103
PID 3056 wrote to memory of 4848	3056	Qhjmdp32.exe	104
PID 3056 wrote to memory of 4848	3056	Qhjmdp32.exe	104
PID 3056 wrote to memory of 4848	3056	Qhjmdp32.exe	104
PID 4848 wrote to memory of 4776	4848	Qacameaj.exe	105
PID 4848 wrote to memory of 4776	4848	Qacameaj.exe	105
PID 4848 wrote to memory of 4776	4848	Qacameaj.exe	105
PID 4776 wrote to memory of 2684	4776	Aphnnafb.exe	106
PID 4776 wrote to memory of 2684	4776	Aphnnafb.exe	106
PID 4776 wrote to memory of 2684	4776	Aphnnafb.exe	106
PID 2684 wrote to memory of 4016	2684	Adfgdpmi.exe	107
PID 2684 wrote to memory of 4016	2684	Adfgdpmi.exe	107
PID 2684 wrote to memory of 4016	2684	Adfgdpmi.exe	107
PID 4016 wrote to memory of 452	4016	Amnlme32.exe	108
PID 4016 wrote to memory of 452	4016	Amnlme32.exe	108
PID 4016 wrote to memory of 452	4016	Amnlme32.exe	108
PID 452 wrote to memory of 984	452	Akblfj32.exe	109
PID 452 wrote to memory of 984	452	Akblfj32.exe	109
PID 452 wrote to memory of 984	452	Akblfj32.exe	109
PID 984 wrote to memory of 4356	984	Aopemh32.exe	110
PID 984 wrote to memory of 4356	984	Aopemh32.exe	110
PID 984 wrote to memory of 4356	984	Aopemh32.exe	110
PID 4356 wrote to memory of 2444	4356	Bgkiaj32.exe	111
PID 4356 wrote to memory of 2444	4356	Bgkiaj32.exe	111
PID 4356 wrote to memory of 2444	4356	Bgkiaj32.exe	111
PID 2444 wrote to memory of 1864	2444	Bdojjo32.exe	112
PID 2444 wrote to memory of 1864	2444	Bdojjo32.exe	112
PID 2444 wrote to memory of 1864	2444	Bdojjo32.exe	112
PID 1864 wrote to memory of 1772	1864	Bmhocd32.exe	113
PID 1864 wrote to memory of 1772	1864	Bmhocd32.exe	113
PID 1864 wrote to memory of 1772	1864	Bmhocd32.exe	113
PID 1772 wrote to memory of 1116	1772	Bhmbqm32.exe	114
PID 1772 wrote to memory of 1116	1772	Bhmbqm32.exe	114
PID 1772 wrote to memory of 1116	1772	Bhmbqm32.exe	114
PID 1116 wrote to memory of 4484	1116	Bphgeo32.exe	115
PID 1116 wrote to memory of 4484	1116	Bphgeo32.exe	115
PID 1116 wrote to memory of 4484	1116	Bphgeo32.exe	115
PID 4484 wrote to memory of 4728	4484	Bhblllfo.exe	116
PID 4484 wrote to memory of 4728	4484	Bhblllfo.exe	116
PID 4484 wrote to memory of 4728	4484	Bhblllfo.exe	116
PID 4728 wrote to memory of 1984	4728	Chdialdl.exe	117
PID 4728 wrote to memory of 1984	4728	Chdialdl.exe	117
PID 4728 wrote to memory of 1984	4728	Chdialdl.exe	117
PID 1984 wrote to memory of 3864	1984	Cammjakm.exe	118

C:\Users\Admin\AppData\Local\Temp\4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe
"C:\Users\Admin\AppData\Local\Temp\4ef4ea14779e346dc40d4d0fdc9a983c7a1ded2f78c8cc40052276779350e95d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\Pmiikh32.exe
  C:\Windows\system32\Pmiikh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\Pnkbkk32.exe
    C:\Windows\system32\Pnkbkk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\Pffgom32.exe
      C:\Windows\system32\Pffgom32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        32⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        38⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5280
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        64⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        68⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        70⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        72⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        74⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        75⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        82⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        85⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        87⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        89⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        91⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        93⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        94⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 224
        95⤵
        Program crash
        
        PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5900 -ip 5900
1⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
64KB

MD5
80c9dfee7641b6f77c236e8ccb3dddc1

SHA1
d1780f460da3efbcf6a68fcb480b7ee43539cd36

SHA256
89fc84e9c67eb64f9047f58c5f4b443d2a7df948f31239ecbd458d79bf64ac35

SHA512
8f4f9f96aad2e738abf964725f555967afb090897398160a50795ca0cb636c570d42a7f17c2f3643037c9a684df062a88cb0568505bbc0504fa4558a9295343f

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
42KB

MD5
6b8849fa99d6eca39ff06ac7358277fd

SHA1
57fe70affbcb9c99b640a69d4feed298e810eccb

SHA256
99baab6fb09c1bec37f9449ed9322b2ae0bbad268ffcd07b975e161a65895583

SHA512
1d4e574fd87ddece3c853e3ebe0df4d0294b075ced5e4f1d2f84f73a16ca5abdb5f698b50ebbc943cbde83e2f81fba34941b327cb50d6c808615840e1a0e2232

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
107KB

MD5
c67b08f9895dcd3f640af1483a7e493e

SHA1
ad11c147fc558a4eed5aa3bd6eae7fd8beaa3b62

SHA256
c73d936a4283b5bf8bead6eff7352e6847098b4e9a919d72a8c0847506657a5a

SHA512
a187499144eaac3559d018e461927a40bab06a3f1b8faa55be62e9c936c6c92573f168b1115dd0b02aa175ee0544295bd00cf5bf0c0a57ecc7cc6e23b605dc7e

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
107KB

MD5
aa85498f29b0dbd5b4ddebc080efad5d

SHA1
af2a883c56aeb5c0774b7bc88d0b435b3c68643b

SHA256
714d46f8123aa3c64e1f8dfeb8f7f0770fb6e200347910e534ee64da178cafd1

SHA512
f03def5acf0b1ef49239d4ac85fbf4072fba73a63263967c8ad1e8b114a8b15128c6c7c7ccc2607c20713c6ebe244da82567cd7bae2396b5dc6ec04013ee72f0

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
107KB

MD5
65e4c296ae491b84108e99c3eeae8201

SHA1
333471fa50e86d4878159a914efce24ecd3eba95

SHA256
7fe03db5a7876f47d3d45e99cb2adf0ece699b44eb87cb633ce695c3f65cc2a7

SHA512
78c7199dfde67a8fc38e143bcb504a52f29db8f98ce8c6d1529983bac7cdc0c207eb318f376d7374ca0ac2b97daf232dd0bf078f44905688415e206ba7b3c562

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
107KB

MD5
606d70971405c1c70827f12d58e2e42f

SHA1
de1a30532038aa8620e79a2ff1343e125ce2c138

SHA256
cf709dbf5bccc22f1c707947802b7f9da97c11c6158c13c68f453ae51f8bbce0

SHA512
d964d1bb3013e4b19d577e9de2432fcad9439b0078391e5512e4b2749a3c6adf3af638415eb6f83efb4a58f6a45a33f23bfad2a49479b2cd29a650f5fd48eef4

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
107KB

MD5
0c2c8197c31a160e5a4b263755b69dfc

SHA1
30624522e27c97b3442f58efd65aad35e656a99b

SHA256
53b5a68d6ac6b97138c7cfb84fc013f7f98a299025bb9335c16d5f063656ee15

SHA512
ef1bf5cf05a66cd50f7235cee6792df2a46a704b7e2dc0a12b3bfd31b4fc8c8c8f3fa103f8d7b5dea87bf30f50d64a5182a7bd200419d2badfdbf5459c2a3b1d

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
107KB

MD5
3c755c826d042b9d64373c377594a4d9

SHA1
eadeb44fd519544923e82369d60aa75e372e93d2

SHA256
a9fe9632d6ea3ea3830d0e1ff9c43acc216a93a2fb76925d7a8f85b811e3fc8b

SHA512
cd8c5cb9e8d2e625bd133150a08a2d35bfe1aa65998fd16dae000fc9a5d660ec6b72d1217b8ac0a75dbf4d2b5b0c71a22ffac3c82bb331b93f9534719adceeb6

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
107KB

MD5
60d98cd9ee32ceb8dcf9f8abc86adffa

SHA1
b26f452182df7c838e203c0fa3fbe357a57d4503

SHA256
8df5799c053a7f2283ee6e28b0b72f8e7f992e2f549919ce982399dec37b1517

SHA512
d5d498ed4a221812106c52f6888ffbde888ef95b0c089b2123cb9318b2b83f9a6dbc26af418b9bc85872ab0713476cb5ad2fb67a3c697f0ce43290e69787fe29

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
107KB

MD5
5f43a023d5b63561ead60c31056c83df

SHA1
6f8071e5b65ebfb9c1e04012a75c0d6773b0b870

SHA256
19588226cd277757fefb09fe4307756daba48ae9a5265f9345e1d72bf3060579

SHA512
6516fb44f101902e5c3f66d733c7e779f7ac341e842f2d45716b5a27f14fe6aeabb346d49e3d848b7ef4a3c15d82ce5110bf614f15ea6b3aba660e0e0324c840

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
107KB

MD5
fb494331ecc500b38c47c6853b852fb1

SHA1
07e266ed3723bf5ce3e278b93574bdf0be1dc576

SHA256
28a6a0a60eba4ead8b2582df9adc29c3cd1ef048b51bb6d8cef788eb1af7104f

SHA512
639cb815683aa831f39f62dfdbd2f3f9c54b3dfaa17265a0945ed152126be0dccc3893f8ed27e373a4f3d758a6f09d7bc944bcbfa9c3596a3a28ef183fffa188

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
107KB

MD5
b6169c6eb74ff1fa166bad3edda8a865

SHA1
c3e595cb7be2225acbd1448d96a629512f09a4f4

SHA256
00d91d69a386009c2c406bad78bde7370203ee45c6886b2f1a85e5701b23f9db

SHA512
08b5bca8b61ba56c7eec21502b5a9944fb7f57a6bc13879f8fa0296a245eb4f2b2b696ef8a6c06540008236c65850be1ae8594f8eb8fd2ad906ff81a84598455

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
107KB

MD5
7a6f80964b21b02869c67f4dbc7ead68

SHA1
982b02c83dbd1282ae2c300649efe49ec1349e99

SHA256
2d42a882e38ece16a69c4161df820710769d2dce091b187e7cfe3f49a68031a7

SHA512
fa290a7bb90952a956ad35bb25ee0865c4f3ae6512b21d8affc88ffeca4fa29c107fa35d82426950267389e1419cafc33b8f9c7fa27f23dd6eddcf3fc91c1037

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
107KB

MD5
dc8654fe7d06913698e76e1301ce97fd

SHA1
8691182a97f49b5580f3b1de1f57ed9acdc610cd

SHA256
7fa84a6b3ad3bd856034e1ca369fe776668dcd8745a3ee96fbe94a5c881a173d

SHA512
9cc59b4598a574dd3ad5975bf91f74cd1bb816747bd2148ec193e9056e2341f7e2225f591239ec46c50e252cfd024272d57e2a9268f61398c330ac1e1d3d525d

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
107KB

MD5
8688561bc03bc9389da6e3a3db866ff3

SHA1
4b91fd6416ce5257784dee71a6ccc3319632cabc

SHA256
65c7c6218ce021fc58e51a0a86022f00b9411733afae032c124f989ba7cababa

SHA512
392ef62371d5c7583c590082790cf4829bb9f782e285b6d53d54b1c8597135191d68661eb76a921848e753cd3ed72cd859ace4ed0ef3a774e8c3157baef829ab

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
107KB

MD5
6856294c9535a42d1292b8681c29e3f1

SHA1
5625b0c0cc51dff922342847f3359e9e8c687e19

SHA256
8a250549f192671d487434255056612e415806c876a26252cbb6809354ff6190

SHA512
65ec5c57ea6485a9264e0917c3c10e8266ea1e390b2998cd914d3f6982ded96441988fea547fd58b2479fbd84465791a2f2cb68844a84c18910fae54ce2625d1

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
107KB

MD5
e9b9560946add24c22b46fc1f8903e4e

SHA1
45b39a8bb1b95494a324c7cec13ab26c2888eaf7

SHA256
c7ab1dfe844e486945dc99fd3c789a1af96f5934f3af3189cc705446f2176db0

SHA512
5b9927f89266cc91e56b5a54cd293891e4b5bd290760eb1685890abe723fe71d1e8b4a8fc8f9bde1cc6a3736738f5900e94531e6e784f2fd5d6ca2cdc4cfcd23

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
107KB

MD5
4a6653dc3ff24c8f1b04eaf0d3f663f3

SHA1
fe583ad7a1b236b600964f4c8d22525e87507e28

SHA256
ce113a230299738386c4bd666d5f72fbff12cda5db7dedaedbc5559e328a3ae4

SHA512
fc76959cf35bfaaefc14c0fdc7aca2285a75367a192a4e3615df474359eb70d8acc4ec4a01b76e47c060cf1a9422f97f7d2e811acfc4d6faae150f752f3ed636

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
107KB

MD5
82668b3b640fc66495700c3890d1a927

SHA1
eef918992b20ddb09c8fbd472b6cc744db67139b

SHA256
4a3235b2b27747c6b6a427ab097f1e6fff4b6e3c38e8bf3ce76e91f54d6b29a6

SHA512
ae2e178b1b1b2a966ba30a2e80204de035878139837c9df4d3f7cc51c20d124f86b22db0287b74b38cb1b5d155cb329177a8ea210bfc7a1c54e7b935c88e9b58

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
107KB

MD5
77d26db58e22ddf3eb61f94dbe36d8b0

SHA1
9f518c2ae7c3eb2fc77a58ab25209220d6685b74

SHA256
0a545ca0e6f7965ef26ad6b20803888cd085951d7f599f25767d0e731c133008

SHA512
1ed57551388b160a74afdf66305623ef60d12cbea41e518a3ec07a677ef35ea3f6d3172d6b27605dc4b4b5661ac4fb8809f30bd13a1ab4e1eaef640b81b46fe3

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
107KB

MD5
1313114f04c2c14542e8ec161fe47352

SHA1
09968d953d278391d2f6316cb336b1a53c7e2c21

SHA256
ca41fb382c29b9bbdc1b7eeb18ef453ffb2ce9189581e8525279d67f4cf53d34

SHA512
13fcf40d16076b986f48701b9a252416e58b609ab8d4de805e0ac71f7e1ddab68fbd829dd4decdc6766f22e75232a209e6c5fc1b33b26efaf7541e3d7ecb6835

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
107KB

MD5
6cf2dc1803aea2bd6a9e853dcd3d9cff

SHA1
429ce6c0b3da355f26f7ff5e3709eb1a1ef21366

SHA256
7914911acd7f6fe4732d6608f7c6b63fbdc7514f7c555c2053686341d4d7c924

SHA512
3abd28ae2e2b88dc27f793fbc0bb88d00222f968b7131bfe615be39277ba5ab397f16f84d3ba65defccaf9777440712e43c0ecce182062b04ee46eb3fe1c2d49

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
107KB

MD5
35c029e5f3e8cece29ca741a65ad6e69

SHA1
d5896ba3cb6583ea06058a45c5e786388ca0fb7f

SHA256
2a5829c783e7f3b7ad17689500a68523d64c2a63dd3f05ab2e50be381eaba23b

SHA512
66882f9a00d7c3a9e5422a8942dc501311a70a33d25d69772b80d115ad58f4770da7128e3a336be39491e611587a78db40f06b325d8773bef453f102664ee5e7

Download Submit
C:\Windows\SysWOW64\Edbiniff.exe

Filesize
107KB

MD5
4d18b3dd001dbe72b70b0557810f3518

SHA1
eae8b9e5d43759d40bfe540d952d9bc6385eade9

SHA256
c435479c548ace9c04e05ecf6f98c09e446a66ea1b365275d4dca1ef9ea87944

SHA512
600075ea822f150876148fed61bf2ce1b842f8f8deeb979763fa7221ce233680b5cfb58f793ceb10966416fa66d50e6f4584c182cf47ae0a320fdd3f7f26e551

Download Submit
C:\Windows\SysWOW64\Enfckp32.exe

Filesize
107KB

MD5
95214f430e53fe3fce5aaf81538a5227

SHA1
db5d876b2d968eea4bbb6fe0c7afe8673191147d

SHA256
c231bfa8ac864e9fdd422ca2984c17f6b20f70d2e1eedfcf43f5fc410b1db34c

SHA512
5c8b6bfc579764c5b566aeee3d1789a5077ee53c1c06fd40a30b3ac989f7cf46079a8f39ebec2e156ad893b4f1db716362b63efcdac1e732dba83f912ac102c3

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
107KB

MD5
613c2a3ec2c288dbc0b98f0aa6d85cde

SHA1
ce4c0cdbdbfacb35210d5f6ce8dd6e8571f153fe

SHA256
cb1847dd05842339d7df142228c25f80598046cde53dfd6cbcb4ace9fba48d4b

SHA512
b339f1a08e9fa1c69df5fcf0877e7cb16c90c0c2f385a1184bf0de387cd4978f3e783cae23ad5c36eb8d85ffe2cf027fa29c511481187bf1fa206f8196d7b056

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
107KB

MD5
afd7a3c38b21f36ee145fea2e0b028ab

SHA1
573c9f92caf63e071a81823560472e16fd821bcc

SHA256
e27b3c3bbd6387247ce82908022a1ae2141df2df0e16edd2cb6fef6a4851514c

SHA512
86ec9c3014a5f6e05796e250c8c69b79a66f732282787a02405b9cb43eb74db1a04d0730a8c37eab0017c8a54f8ec4c7700f656782ae814bc2a6afb44df4f624

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
107KB

MD5
8bed3a7480adac63895d672d1a707744

SHA1
4922214323a2abb2e350fda3538c64bd9a7276b2

SHA256
c357f56dcf2de87e401afa21d0485e3a68f9fe2527691ca8a420c057bcf33ab0

SHA512
8d7c7e141316bb20f34e88bafb99f241fa10abef4b98eab8c1bda188eccff79e93a13c28c5fa9dc228bea51fe29bdc1709a2ad99dffef51dd05746e1025d4b01

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
107KB

MD5
67ed3337d41cf6db948df618c563d38e

SHA1
033d12d1c79a4ecc841db8cd212f2807fdb729a9

SHA256
74705647a07c4b45345a6c419d1246677666bc7b1a244d52c6ca09c715e74f9e

SHA512
8727a951f5daab4bd364eb24afbc80f2d9104288c555e3f92f9852129909f46073b696f9958f7c98a7bdc3caa1677a6355ede6b972e16efebf8a36461b33f8f5

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
107KB

MD5
15d793d2bccc76e19f148627ddac39cb

SHA1
20b6721249de93c6c13aa7d74fe00e8f36da7c1c

SHA256
1f282e5ca56f04f37118e6f911447d09c641f197828954d026c08b69e2db0e30

SHA512
d635a855434d355f56a535a3dcef3a79c973b597e0eb60cc24b1e888e23cce948ff54947335a573fa09b118f7f714a050eb1ec1cec1dad9f4df709a72747ebdb

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
107KB

MD5
c3f8aa61901e4d47d9a0cc7074f99108

SHA1
1b9ff6f03abc036aa7d570a6cd985a61ddea01e3

SHA256
93ab789df938301776461b83421104e77aff6741b2c079476d518cf40e8866ee

SHA512
7ea3e71ec3010b5589695784ebcb76f11a3fb1cf8b44c181382603824f0ff341ad6b20e8a9e8b48a769237d6cb279b54a358e9ce78b09718d158d827b06e20c1

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
107KB

MD5
f67ddec63b54631ac8a7df9dffed2308

SHA1
8781e3ef2a76054d2e9731bb7ca334ccaf522785

SHA256
75b64c078c6730349b167ce25eca1b93bc7e69f8ccfe33537c5b722232f27b7e

SHA512
92e11d3ab93d9621a311e30eede460fe6992dc9db2dc516f9c878950a60aafecadbbedbf35a3fe622fee31e12cd9c33a0d65e547dff6df0830af454f9164063e

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
107KB

MD5
0ea47b3536fd9dba53923794f1bf3700

SHA1
64d6322c17d7abba0ddbf54477bbcf9463ac484a

SHA256
fe759905e2e0bfef10317343da3636d1629e52e95bd3961f775e272ecc1519c7

SHA512
3c450853a986b65b659b60918fbd772f13435bb1741fb6de7af4648af0b9c5fda5fb664b70e8820d1644ca7afd304464e7dd32d6ebcff88572e92181436c0f5d

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
107KB

MD5
039d28df5a161b9bc846bd9975be6b86

SHA1
8d7a6c00d108e9ac0632d2e4203a20e101267d40

SHA256
24eb04caf8920a22dd82709e847959eb4daaf014a7311bafe4739a2c913f92a6

SHA512
cfb5e9b3618154bfd0ce1e64a7431be401e5090467a56c09b84f40e758bc7e0b34f62d15e40b9561bf82bc241f7fbc2e21644c6fa8032bf2616791a2a48c26b4

Download Submit
memory/452-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/984-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1772-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1772-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2780-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2968-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3612-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3612-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3784-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4356-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4456-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4456-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4776-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4776-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads