879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Size

120KB
MD5

a05b9c41cbae2a88222e39513f228b77
SHA1

9cee0a4f4886f3c453bc03b2049b3b5c7e1cbfbf
SHA256

879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee
SHA512

701b80300c3d549ec0b59535b7c6f10c4050c7c507180198ef86283136bb3bf11a86163e977d72d449b4fa556f0c449227c434a505f4b198410fa783d8e172eb
SSDEEP

1536:kKpEWFU0qsV4zmpXFdMDPL7m0G+L1rS10P1+g56uZvjz0cZ44mjD9r823F4:kKpEWsmpVdMDP35dUg4uZci/mjRrz3C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adpkee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgafdfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egoife32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdgafdfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmlcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anafhopc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpgljfbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anccmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anccmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpfojmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnobnmpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anafhopc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkommo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmehnan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egoife32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkommo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnobnmpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cppkph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adpkee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpfojmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpgljfbl.exe

UPX dump on OEP (original entry point) 33 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012243-5.dat	UPX
behavioral1/files/0x0027000000015c13-21.dat	UPX
behavioral1/files/0x0007000000015c7a-34.dat	UPX
behavioral1/files/0x0005000000018690-60.dat	UPX
behavioral1/files/0x0007000000015cb3-51.dat	UPX
behavioral1/files/0x0006000000018aec-82.dat	UPX
behavioral1/files/0x00050000000186a4-77.dat	UPX
behavioral1/files/0x0006000000018b36-98.dat	UPX
behavioral1/files/0x0006000000018b46-118.dat	UPX
behavioral1/files/0x0006000000018b36-106.dat	UPX
behavioral1/files/0x0006000000018b6f-121.dat	UPX
behavioral1/files/0x0027000000015c25-141.dat	UPX
behavioral1/files/0x0006000000018ba8-147.dat	UPX
behavioral1/files/0x00050000000192f8-167.dat	UPX
behavioral1/files/0x0005000000019338-177.dat	UPX
behavioral1/files/0x000400000001938e-194.dat	UPX
behavioral1/files/0x000400000001939f-205.dat	UPX
behavioral1/files/0x0004000000019405-219.dat	UPX
behavioral1/files/0x0004000000019421-231.dat	UPX
behavioral1/files/0x000400000001944f-239.dat	UPX
behavioral1/files/0x0004000000019469-247.dat	UPX
behavioral1/files/0x000400000001946e-256.dat	UPX
behavioral1/files/0x0004000000019476-260.dat	UPX
behavioral1/files/0x00040000000194a7-274.dat	UPX
behavioral1/files/0x00040000000194d5-283.dat	UPX
behavioral1/files/0x00040000000194db-293.dat	UPX
behavioral1/files/0x00050000000194eb-303.dat	UPX
behavioral1/files/0x00050000000194ee-312.dat	UPX
behavioral1/files/0x00050000000194f3-322.dat	UPX
behavioral1/files/0x0005000000019529-335.dat	UPX
behavioral1/files/0x0005000000019520-332.dat	UPX
behavioral1/files/0x0005000000019548-351.dat	UPX
behavioral1/files/0x000500000001956d-361.dat	UPX

Executes dropped EXE 32 IoCs

pid	Process
2688	Anafhopc.exe
2560	Anccmo32.exe
2644	Adpkee32.exe
2948	Bpgljfbl.exe
2908	Bjlqhoba.exe
2496	Bkommo32.exe
1260	Bdgafdfp.exe
2480	Bmpfojmp.exe
1980	Blgpef32.exe
1040	Cadhnmnm.exe
1732	Cklmgb32.exe
1048	Cgcmlcja.exe
1012	Cnmehnan.exe
1588	Cnobnmpl.exe
1180	Cppkph32.exe
2300	Ccngld32.exe
2296	Djklnnaj.exe
772	Dfamcogo.exe
2140	Dhbfdjdp.exe
1964	Ddigjkid.exe
988	Dkcofe32.exe
940	Eqpgol32.exe
2928	Egjpkffe.exe
1628	Ebodiofk.exe
1564	Ejkima32.exe
1016	Emieil32.exe
980	Egoife32.exe
1032	Eqgnokip.exe
1956	Efcfga32.exe
2936	Emnndlod.exe
2676	Echfaf32.exe
2548	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2232	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
2232	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
2688	Anafhopc.exe
2688	Anafhopc.exe
2560	Anccmo32.exe
2560	Anccmo32.exe
2644	Adpkee32.exe
2644	Adpkee32.exe
2948	Bpgljfbl.exe
2948	Bpgljfbl.exe
2908	Bjlqhoba.exe
2908	Bjlqhoba.exe
2496	Bkommo32.exe
2496	Bkommo32.exe
1260	Bdgafdfp.exe
1260	Bdgafdfp.exe
2480	Bmpfojmp.exe
2480	Bmpfojmp.exe
1980	Blgpef32.exe
1980	Blgpef32.exe
1040	Cadhnmnm.exe
1040	Cadhnmnm.exe
1732	Cklmgb32.exe
1732	Cklmgb32.exe
1048	Cgcmlcja.exe
1048	Cgcmlcja.exe
1012	Cnmehnan.exe
1012	Cnmehnan.exe
1588	Cnobnmpl.exe
1588	Cnobnmpl.exe
1180	Cppkph32.exe
1180	Cppkph32.exe
2300	Ccngld32.exe
2300	Ccngld32.exe
2296	Djklnnaj.exe
2296	Djklnnaj.exe
772	Dfamcogo.exe
772	Dfamcogo.exe
2140	Dhbfdjdp.exe
2140	Dhbfdjdp.exe
1964	Ddigjkid.exe
1964	Ddigjkid.exe
988	Dkcofe32.exe
988	Dkcofe32.exe
940	Eqpgol32.exe
940	Eqpgol32.exe
2928	Egjpkffe.exe
2928	Egjpkffe.exe
1628	Ebodiofk.exe
1628	Ebodiofk.exe
1564	Ejkima32.exe
1564	Ejkima32.exe
1016	Emieil32.exe
1016	Emieil32.exe
980	Egoife32.exe
980	Egoife32.exe
1032	Eqgnokip.exe
1032	Eqgnokip.exe
1956	Efcfga32.exe
1956	Efcfga32.exe
2936	Emnndlod.exe
2936	Emnndlod.exe
2676	Echfaf32.exe
2676	Echfaf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dhbfdjdp.exe
File opened for modification	C:\Windows\SysWOW64\Eqpgol32.exe	Dkcofe32.exe
File opened for modification	C:\Windows\SysWOW64\Ebodiofk.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Anccmo32.exe	Anafhopc.exe
File opened for modification	C:\Windows\SysWOW64\Bkommo32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Ccngld32.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Dkcofe32.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cklmgb32.exe	Cadhnmnm.exe
File opened for modification	C:\Windows\SysWOW64\Cgcmlcja.exe	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Cadhnmnm.exe	Blgpef32.exe
File created	C:\Windows\SysWOW64\Ffpncj32.dll	Emieil32.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Bpooed32.dll	Bmpfojmp.exe
File created	C:\Windows\SysWOW64\Cgcmlcja.exe	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Lnfhlh32.dll	Cnmehnan.exe
File created	C:\Windows\SysWOW64\Dfamcogo.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Ddigjkid.exe	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Egoife32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Oegjkb32.dll	Bpgljfbl.exe
File created	C:\Windows\SysWOW64\Bkommo32.exe	Bjlqhoba.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Ccngld32.exe
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Ccngld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfamcogo.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Ejkima32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Egoife32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgafdfp.exe	Bkommo32.exe
File created	C:\Windows\SysWOW64\Gojbjm32.dll	Blgpef32.exe
File opened for modification	C:\Windows\SysWOW64\Bjlqhoba.exe	Bpgljfbl.exe
File created	C:\Windows\SysWOW64\Qmhccl32.dll	Bdgafdfp.exe
File opened for modification	C:\Windows\SysWOW64\Cadhnmnm.exe	Blgpef32.exe
File opened for modification	C:\Windows\SysWOW64\Dkcofe32.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Abkphdmd.dll	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Ebodiofk.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Adpkee32.exe	Anccmo32.exe
File created	C:\Windows\SysWOW64\Bjlqhoba.exe	Bpgljfbl.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Anafhopc.exe	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
File created	C:\Windows\SysWOW64\Eqpgol32.exe	Dkcofe32.exe
File created	C:\Windows\SysWOW64\Cnmehnan.exe	Cgcmlcja.exe
File created	C:\Windows\SysWOW64\Opiehf32.dll	Cgcmlcja.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dhbfdjdp.exe
File created	C:\Windows\SysWOW64\Egoife32.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Egoife32.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Eqgnokip.exe
File opened for modification	C:\Windows\SysWOW64\Bpgljfbl.exe	Adpkee32.exe
File created	C:\Windows\SysWOW64\Bdgafdfp.exe	Bkommo32.exe
File created	C:\Windows\SysWOW64\Cppkph32.exe	Cnobnmpl.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cppkph32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Emnndlod.exe
File created	C:\Windows\SysWOW64\Dkjgaecj.dll	Anccmo32.exe
File created	C:\Windows\SysWOW64\Bmpfojmp.exe	Bdgafdfp.exe
File created	C:\Windows\SysWOW64\Mhkdik32.dll	Cnobnmpl.exe
File created	C:\Windows\SysWOW64\Dhbfdjdp.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Oghiae32.dll	Dfamcogo.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Ebodiofk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	2548	WerFault.exe	59

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdgafdfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll"	Blgpef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmehnan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll"	Bmpfojmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adpkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egoife32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll"	Anccmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dhbfdjdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anccmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpgljfbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmehnan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll"	Cnobnmpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll"	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adpkee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dkcofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpfojmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll"	Cgcmlcja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpgljfbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkommo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbcodmih.dll"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anafhopc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll"	Adpkee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll"	Bdgafdfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll"	Cnmehnan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cppkph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhbfdjdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll"	Ejkima32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2688	2232	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe	28
PID 2232 wrote to memory of 2688	2232	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe	28
PID 2232 wrote to memory of 2688	2232	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe	28
PID 2232 wrote to memory of 2688	2232	879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe	28
PID 2688 wrote to memory of 2560	2688	Anafhopc.exe	29
PID 2688 wrote to memory of 2560	2688	Anafhopc.exe	29
PID 2688 wrote to memory of 2560	2688	Anafhopc.exe	29
PID 2688 wrote to memory of 2560	2688	Anafhopc.exe	29
PID 2560 wrote to memory of 2644	2560	Anccmo32.exe	30
PID 2560 wrote to memory of 2644	2560	Anccmo32.exe	30
PID 2560 wrote to memory of 2644	2560	Anccmo32.exe	30
PID 2560 wrote to memory of 2644	2560	Anccmo32.exe	30
PID 2644 wrote to memory of 2948	2644	Adpkee32.exe	31
PID 2644 wrote to memory of 2948	2644	Adpkee32.exe	31
PID 2644 wrote to memory of 2948	2644	Adpkee32.exe	31
PID 2644 wrote to memory of 2948	2644	Adpkee32.exe	31
PID 2948 wrote to memory of 2908	2948	Bpgljfbl.exe	32
PID 2948 wrote to memory of 2908	2948	Bpgljfbl.exe	32
PID 2948 wrote to memory of 2908	2948	Bpgljfbl.exe	32
PID 2948 wrote to memory of 2908	2948	Bpgljfbl.exe	32
PID 2908 wrote to memory of 2496	2908	Bjlqhoba.exe	33
PID 2908 wrote to memory of 2496	2908	Bjlqhoba.exe	33
PID 2908 wrote to memory of 2496	2908	Bjlqhoba.exe	33
PID 2908 wrote to memory of 2496	2908	Bjlqhoba.exe	33
PID 2496 wrote to memory of 1260	2496	Bkommo32.exe	34
PID 2496 wrote to memory of 1260	2496	Bkommo32.exe	34
PID 2496 wrote to memory of 1260	2496	Bkommo32.exe	34
PID 2496 wrote to memory of 1260	2496	Bkommo32.exe	34
PID 1260 wrote to memory of 2480	1260	Bdgafdfp.exe	35
PID 1260 wrote to memory of 2480	1260	Bdgafdfp.exe	35
PID 1260 wrote to memory of 2480	1260	Bdgafdfp.exe	35
PID 1260 wrote to memory of 2480	1260	Bdgafdfp.exe	35
PID 2480 wrote to memory of 1980	2480	Bmpfojmp.exe	36
PID 2480 wrote to memory of 1980	2480	Bmpfojmp.exe	36
PID 2480 wrote to memory of 1980	2480	Bmpfojmp.exe	36
PID 2480 wrote to memory of 1980	2480	Bmpfojmp.exe	36
PID 1980 wrote to memory of 1040	1980	Blgpef32.exe	37
PID 1980 wrote to memory of 1040	1980	Blgpef32.exe	37
PID 1980 wrote to memory of 1040	1980	Blgpef32.exe	37
PID 1980 wrote to memory of 1040	1980	Blgpef32.exe	37
PID 1040 wrote to memory of 1732	1040	Cadhnmnm.exe	38
PID 1040 wrote to memory of 1732	1040	Cadhnmnm.exe	38
PID 1040 wrote to memory of 1732	1040	Cadhnmnm.exe	38
PID 1040 wrote to memory of 1732	1040	Cadhnmnm.exe	38
PID 1732 wrote to memory of 1048	1732	Cklmgb32.exe	39
PID 1732 wrote to memory of 1048	1732	Cklmgb32.exe	39
PID 1732 wrote to memory of 1048	1732	Cklmgb32.exe	39
PID 1732 wrote to memory of 1048	1732	Cklmgb32.exe	39
PID 1048 wrote to memory of 1012	1048	Cgcmlcja.exe	40
PID 1048 wrote to memory of 1012	1048	Cgcmlcja.exe	40
PID 1048 wrote to memory of 1012	1048	Cgcmlcja.exe	40
PID 1048 wrote to memory of 1012	1048	Cgcmlcja.exe	40
PID 1012 wrote to memory of 1588	1012	Cnmehnan.exe	41
PID 1012 wrote to memory of 1588	1012	Cnmehnan.exe	41
PID 1012 wrote to memory of 1588	1012	Cnmehnan.exe	41
PID 1012 wrote to memory of 1588	1012	Cnmehnan.exe	41
PID 1588 wrote to memory of 1180	1588	Cnobnmpl.exe	42
PID 1588 wrote to memory of 1180	1588	Cnobnmpl.exe	42
PID 1588 wrote to memory of 1180	1588	Cnobnmpl.exe	42
PID 1588 wrote to memory of 1180	1588	Cnobnmpl.exe	42
PID 1180 wrote to memory of 2300	1180	Cppkph32.exe	43
PID 1180 wrote to memory of 2300	1180	Cppkph32.exe	43
PID 1180 wrote to memory of 2300	1180	Cppkph32.exe	43
PID 1180 wrote to memory of 2300	1180	Cppkph32.exe	43

C:\Users\Admin\AppData\Local\Temp\879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe
"C:\Users\Admin\AppData\Local\Temp\879e3d0601fcc4b391288a53d3ca5c64863a7150fffad0f2b444becefaa154ee.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\Anafhopc.exe
  C:\Windows\system32\Anafhopc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Anccmo32.exe
    C:\Windows\system32\Anccmo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\Adpkee32.exe
      C:\Windows\system32\Adpkee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Bpgljfbl.exe
        
        C:\Windows\system32\Bpgljfbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\Bjlqhoba.exe
        
        C:\Windows\system32\Bjlqhoba.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Bkommo32.exe
        
        C:\Windows\system32\Bkommo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Bdgafdfp.exe
        
        C:\Windows\system32\Bdgafdfp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Bmpfojmp.exe
        
        C:\Windows\system32\Bmpfojmp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Blgpef32.exe
        
        C:\Windows\system32\Blgpef32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Cadhnmnm.exe
        
        C:\Windows\system32\Cadhnmnm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Cklmgb32.exe
        
        C:\Windows\system32\Cklmgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Cgcmlcja.exe
        
        C:\Windows\system32\Cgcmlcja.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Cnmehnan.exe
        
        C:\Windows\system32\Cnmehnan.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Cnobnmpl.exe
        
        C:\Windows\system32\Cnobnmpl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Cppkph32.exe
        
        C:\Windows\system32\Cppkph32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Dfamcogo.exe
        
        C:\Windows\system32\Dfamcogo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Dhbfdjdp.exe
        
        C:\Windows\system32\Dhbfdjdp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Egoife32.exe
        
        C:\Windows\system32\Egoife32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        33⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 140
        34⤵
        Program crash
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adpkee32.exe

Filesize
120KB

MD5
e2a82b3bb407c11c473f25c3a8b47c8e

SHA1
3ddcc39d2b84bcec9f906e590cc937fb66dfa6fe

SHA256
be526d33715de35e26b6c7f1ce1c30d3c772f66abe8d38244247a2633b951751

SHA512
03b18641f2b8e203ef0c928705984b7b8149a053446a8e32162c48f68ccbd8202d6308b2bbe4deb0b3c3e2b7f48cc7bfe5866b6f674b448e8dd261b73220f70b

Download Submit
C:\Windows\SysWOW64\Bjlqhoba.exe

Filesize
120KB

MD5
b6292c4751c58fdd8e812d2addc5c6ea

SHA1
9d56a21fe557fa7c21829b5be5db05a12407c166

SHA256
7e130e20642df99b1c2d7860710a99906e4c9860d4d9833610984f9085740235

SHA512
54310bacc0a87076d523ebe03d780d91fa8f6fdd0ea9dd0e2ad35e17a1e5d82ce85115c6fd7f77dd489eec7a42b659b5439665970f572459dd0ddbf9a16fe3d9

Download Submit
C:\Windows\SysWOW64\Bkommo32.exe

Filesize
120KB

MD5
f6e41cc7947248c7186dd8463cb894a7

SHA1
63b7fdba1797169d079022ba37fb5cab0b9a40f9

SHA256
0b7bf86945b73840256c7c727a52a614e1c37b86951b17ddc1d8a8b49f5f2560

SHA512
6e640bb9cb4f9c30404456c8f237298d88fd764ee78a4fa47072d432c35117f15df42675f3239c9339c26ef7987e49dfe9931abf8e0ba0af5a68e3c787a8e3d3

Download Submit
C:\Windows\SysWOW64\Blgpef32.exe

Filesize
120KB

MD5
f5df2cceda733cbeb3305a9c053caeaa

SHA1
882b9f6f9df9cbae44b9952766913aff945ac616

SHA256
6029c45b76d79f185ab31d1f28fdf4e570acff782ae8916ceed1cad60b08c32e

SHA512
883705ae115886e5ce1759a7f8e4f4b7e5ebcb9b0effc4888d2f1757eef065748521abd800b1c6e801470ac1d1173d66b0bc305c3a2ebf0d06aa8d9dae293019

Download Submit
C:\Windows\SysWOW64\Bmpfojmp.exe

Filesize
64KB

MD5
c3520145bc54a3e895a9693c5eaf206b

SHA1
4d9a74125b644eb959b6a65c7c9347da6fd6ce95

SHA256
2a9e4b593771a802eb3f539acb0b17d92bd83e41cbec0b7af8051e3bfaefeffa

SHA512
1e61c64e44463fb00245111a52e7631fe6c97603240b35f5cc20ce771b93d6dbc2491c55cae4f2331a93e148ce0fccc2de810fdec405dffb8736b2819b677b64

Download Submit
C:\Windows\SysWOW64\Bpgljfbl.exe

Filesize
120KB

MD5
13aa50a9e5614f80bdd3f56677ef2591

SHA1
b62e9fd13abb6c72dbfd3282191067d44d4b2beb

SHA256
26136e717f0c98d7f74c1d51593e5c1a0df5ff3df3548a616fe560a90e8c9b30

SHA512
462c14e913be0654d7b13111e97e7715e47448666f9d8b682c2df322771e2ca05b477d0244ae6a07c2277df8b335111c502c1e1821e920fc5d2b3aecc5572cf2

Download Submit
C:\Windows\SysWOW64\Cadhnmnm.exe

Filesize
120KB

MD5
ac452b1fccf8057bee17beea6be5bab4

SHA1
612d3e4b3f17901f00054ccb416a9089f9cd8621

SHA256
db79ffcc8f5deda4e5f5bfb0c741507febee321da5456709d4380a531312852c

SHA512
db24c2dce6a0b4b93529534f1f0f1b9b31d1437bd6e5797a97d3a4ad47be26c1be671810e9e2de1e909a1a04ed74c6719c5ba21f2e2ae4ca0799b93d6d1dd253

Download Submit
C:\Windows\SysWOW64\Cgcmlcja.exe

Filesize
120KB

MD5
516fcd7fb0a9d0146408a5f7c6935b80

SHA1
9dcd67e8b3d8da3673b64ffe0321768c24431dd5

SHA256
ed2dc35b7d2e35ba57b9bb7dd397e534f6dd70648e096a477d6abb95a6ae5fe9

SHA512
960d86225c946f74429f7e145f707f0a6552db95e3ecee87c7b5430c3800919b47fb6c6d3e8ae84e60e31c0a91d61a0063f79355410a3c28e6ff854347b91e94

Download Submit
C:\Windows\SysWOW64\Cklmgb32.exe

Filesize
120KB

MD5
dd302c450b73af0cbbf505cf786f0081

SHA1
73eb06a670f296dda81c965ea38d2ff1e9144703

SHA256
674b211caa00230f3b7596444f1db944093ef339c1d9bc2a815c2109621fcc18

SHA512
8a7ce726d4be102fc5ebccbd51efde9a27819e35d814a8ef0f018534ad27484c2513b3567fa2013733d9c8d7b2311b31779e04d8375fe45be90f98ba99a76b02

Download Submit
C:\Windows\SysWOW64\Cnmehnan.exe

Filesize
120KB

MD5
a98cf8ace5e77b0c99c4f4a94ba40e28

SHA1
3634ce1689a36489c97e89c07a45584895a73e6a

SHA256
30b54856bc6ae5e69f4fb0cb32ee47bd1713d8a30e417c600c763d595d18e517

SHA512
a7cd4d141d92a497d5b68f1d19709fdd94a5861154949db9cae9702cf59dedb285c35458bf75511dc216f362ec234c3c268f051c3928988fdd6485af01b21887

Download Submit
C:\Windows\SysWOW64\Cppkph32.exe

Filesize
120KB

MD5
5022a44c6b765d3202b6c91a99f07f54

SHA1
7f6c5b4b52adf9df3c75cdbca61170b7e89c8951

SHA256
ddd774338b0582fc3de2e3254873b585b5e342c3bdd1e16e002ee416e18e7c8c

SHA512
d59e73357fc68b883390cc974663a136831ffa57e782f2ef0dd5c71067d5f8915b5d6bdae248b1d71e5ff887bdafa1818931a502cdea45b3dcae2178081d1ab6

Download Submit
C:\Windows\SysWOW64\Ddigjkid.exe

Filesize
120KB

MD5
8aae65e6d26dca52125c67441a987c18

SHA1
6a6c791f67797d6366857e80bebfe00bc81fd9c3

SHA256
7688c72f99a636ab2522d754d2d7cdef18f1ba1694844ede2e294dbb94e4f4c6

SHA512
ed6c9379df9d6c100dab2cd7eed9752f12793383f56028e83d2ade8be254627183b949875d52e28fe880989ca9b337d271c30487fa1beda2b484adcdc824cef3

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
120KB

MD5
6e54daf580e7be84edb5960e9b72d25c

SHA1
261d8a179a18f2720cb107ce33748477352173f1

SHA256
65065b8da86ed9181648071a8dbdc6cbe39cd306e1b28176b54d0aa2a68c93b8

SHA512
59fe9eab447c4a03553b8f8978f08a487e7302bfef363a4a0fff91a46da6667d72376cf1b0b3b2354309063ef3b13afb29dc5de3becc1ac2fc5499abdea8bbfd

Download Submit
C:\Windows\SysWOW64\Dhbfdjdp.exe

Filesize
120KB

MD5
5b2edfd76a467cb88d691bdf4c3cdc07

SHA1
1124dc12e086b2f061d51c534dab7be7e8d49c3e

SHA256
be0a8e07e78a3998637f71613bcafb0ed51915bf04a9aeb6f3b68f7f0d741a50

SHA512
f63d05f9afd95bc8fc9c8a88338031bd022015d7e881d4d6b8391d4121dea1654b4000eea6b9d1c537e8240a15c059b7bcddf0dba65dd20250cad2c9d0fd23f6

Download Submit
C:\Windows\SysWOW64\Djklnnaj.exe

Filesize
120KB

MD5
e83fa7241a14a5a1d2978e5350aebead

SHA1
0e4364f19681e3c17d1165fd550126bc05324ddc

SHA256
f0cc566c2c05b2e0a3d47632c4326419b8d7bd24e1619af9b4feccb71423a58b

SHA512
12f8438b3a2cc9132a3efae80a800f2f5954764466a95199ed247700ef7f7218408b662868ab666f45016f38e1b07f7bb6688e9a749d78911d0b9f70ed8799c7

Download Submit
C:\Windows\SysWOW64\Dkcofe32.exe

Filesize
120KB

MD5
4338b1ba3e932a47f375ff45b14b5fe4

SHA1
a933fb69a86dec4241a754bd5e6cbcab5b91ed82

SHA256
6e8a9ec7bb53a651cf1f43ab49cc3d029c2abfbaff008793bacb577c44506848

SHA512
b0b5b2fac2991dc2a656f66421e868cbfbaf40ca512a35197c5e834dd95e4e3b2b46e4f976ef3f44d0010215c00d13e10fe9ce8e56b2ff5eb85060b9c2e4f570

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
120KB

MD5
42dbc6846ca459050883689b86fdcd48

SHA1
ae2ff38f4d511e67b610c5abc10c3384ca15fef7

SHA256
5d17be5a6ad4b0a22268037432366ea729b98b505db84076d868402b923cb321

SHA512
f40471e48df06cab3b845f931aa7d644d85d8ccc8636a57cd5e5ec8eac8b62d6543ee2ec2dc72792902333e220825e21aa0cc07ccbd5a78228c432f36210a9ad

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
120KB

MD5
77784b8e450a84cbae05b45c2e10011d

SHA1
aef856d2fe0d991328bfb4a2fafd0e0606e706d6

SHA256
eb388468271d0c152205a9ac4ecc2522b5eb17ae0f4c2e358e95699d537907bb

SHA512
3b937626c8b8181f23e03f9f0a0c95f9611af89d91b32dc248a76aa173240325a65a73680d5f9df8dd6bf30bd4083845461bf2c325a7444ec2c4d2644483ae58

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
120KB

MD5
3d6b929137f09a5999a7a60be7d03591

SHA1
8ad5b865706e1f2c569ea81a5c4d830dbd45e5d4

SHA256
db6d666a32b9b635c08c9c6248343cc03cf86fcda929388a9715b4e4a8228089

SHA512
05996f11506ece738b36c44a7af152706bc3012c11e3f53300c2cc13969cf21e006a561dafc5fc53022371a9d19ee979c80cbcd6d5aff0dbf9c91e6bfd50d1da

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
120KB

MD5
02d92c228889ddfc72956891d251da6f

SHA1
58f9eb3735cda40ac395a5ef5b676a2dc23f3f96

SHA256
446f3e9f8cd81bb5354eea1c25a8691153408bb99606bd144a5ef1338dfbf3f8

SHA512
a42a4ffcdb0c52cab0c24f567c04b34b77fd90f67e0aa578acc9053a82ec5026528b20437842d2c66e76e2db896d528c7bf70ad3fe74b2576f89a2bbf673c7b4

Download Submit
C:\Windows\SysWOW64\Egoife32.exe

Filesize
120KB

MD5
55a51fbf6dfafcba0ed488abb37c666b

SHA1
17bdb3211dd2b223646bdd2e730f92bd4564d98e

SHA256
d0b421e8527cbc7091acea4e6d0d06271bc39d0678333cb41b6c8d4f5ca549d8

SHA512
8cee226bd6a781a56168c1c613a7b862e6b3e5cf3dce49428f217a6d54ec09b493751939c1f43a0b4f9be70c0e3e1d61189649c6542da09f870b2583fa103eda

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
120KB

MD5
c13789068a8a2ec44e0c16efb38fb37b

SHA1
900fa4488b1d97ccb364f5194342d86b36754f71

SHA256
515c106eb20e10015510107e3fdbeb583f5bc8a99b85c7bf595bc5d59ec149d2

SHA512
2c90970e28cd2aee0f387ac80e2e0022e6eab020c2cf41bb983b45e9f8b5840c73d39f16d6bbe045ce04169f896fc560f060b427f5d86e656304629db5b507b4

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
120KB

MD5
26d72c48ce5d675d07a32173095a4a38

SHA1
eceabcab95841c506499af5f3370f0b56238706e

SHA256
5a924944fa6de43985ac3d228cca15d4955e14e6ffb604212868b95f51a2dc3d

SHA512
8c292d727c03d972e79656395a709aa3fe17cffbeab802d251bda90969fa780cda912e3331bcd83ec6b83a6bf16d8979d2f53848989d533cf30410489054fa00

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
120KB

MD5
065072fb1fb29cf0b0d398f24416acdc

SHA1
2a79daf3cc07e336df9da8e97859d16dd4b6f376

SHA256
4d6e86d731791ad5d494c1b91f850f3883a82f557973067aa106e0cff916632f

SHA512
ffabc1822f6e3a8ec63a030d4b738c7da2028db1d83c10c3115d0736ede5a0000cfe1388909e47b90247f22074b0fdac9cde50a0efbfb7e699baae973c9e1624

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
120KB

MD5
0cb0a0160d0ad4ee3db8f574ad8d50cc

SHA1
ebeb764dc9e629b622df9fc2025eb517adb6cafe

SHA256
da4c1c97800c2236bb6e8932f44e0e0c2cf2b3b9ed2afdc61c0fada3cd72222a

SHA512
b2e41977dba4cdbdfc21ab9daa2ac53fa7a5319f03e39a6a9a66480fc936a21e6407404dbc708e0b29a6df6050b1a091afa912c62572622436b2243f8242dfc5

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
120KB

MD5
12705592fb2afef9ac8ec78b7bf43554

SHA1
8f7e5032c61ab669a5fd5c9acde9c49182ad4c4f

SHA256
fd726c6404e38a8437040724fc04e5eb1afd6ece35f251fff69da391987e8c3b

SHA512
412c19ea015a337cda1272b98f52ebb33813ec2a9d5e46f5898cb2f02332f6af1d0bfb1d812520921fa7494b31ca6f63ff4627880bab3776d778eda09fd9e25d

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
120KB

MD5
744c4ecfe8ca1d932498a5815078497b

SHA1
38b4e856e2b8f44906653c788c21884ab1ded352

SHA256
d8d5d26fb47e66a1b17949a9b461d710ec864692f5e48943c0e4438fd3c9e9b4

SHA512
66bb3e9d5d61e7996e49d941f292c5e56990f3cef1de8b7ebb9d96d80109c2d649f1dd913ffc027247e2630c26b6a0809d51ace699fdb492d621ea9d2905ac33

Download Submit
C:\Windows\SysWOW64\Iooklook.dll

Filesize
7KB

MD5
ba24872505c1c9f962f04e490900cedb

SHA1
67dd82b77641d932b0ea940d4af675763c4fe889

SHA256
10d079ab417abcb48209605191c757be6ec87ca5cf9bb7521f067add7f124d1e

SHA512
34226a75e97b37ebf16470bb81f94cdb621d533d61f0803a531e459e00341fabb40fa7567f60164ab895db1799956317425e209c3869b469880b5bfdbdaa8c9f

Download Submit
\Windows\SysWOW64\Anafhopc.exe

Filesize
120KB

MD5
a4024cd1346ed211210d77d63b28bae6

SHA1
fb1fc5e86523d6019dcbbaecd01dfa8d43c2ff6a

SHA256
73b7d3310f839e5fd5087c61d978b6442ebe16ca1570b84804e7493d8c4ca92b

SHA512
99d23114759f2f661948b9b6175a6593418e3fdee0740f24f790b9497820ef1b854f4889003076af23fa273ea906a3b246efaf257785af5994ae4244b5e39cac

Download Submit
\Windows\SysWOW64\Anccmo32.exe

Filesize
120KB

MD5
3c83f41a430c0c381c5beadf129a453c

SHA1
c2b95173da3eb5a92d1af6ae125532e3edd1a033

SHA256
db6fde284f699d8cac7bfcf141cb254f71ff60fd90e47e2455e4c61459a636d7

SHA512
cd9f70c1c726659d462fadb25b447016f4b4f62d23b637a95f16107f972026b94a2dc0b873afaf381ee8933e8c952ae3acaceeef6fd1d1ee36a74c4e73c7801b

Download Submit
\Windows\SysWOW64\Bdgafdfp.exe

Filesize
120KB

MD5
b782f81cb430f7f359015a6002ee9e1a

SHA1
64a324f7f768409de48cbc35f3a257a6acac64a5

SHA256
0cc8e6edcb084e11d5e14fddf15a28db2000015469ebe87973ecd7c7ded303b3

SHA512
f24f09613ee8d779fc6ec831b36f7f754d8e25b2ddf9578f84548420977de518997fd7721e161b6536ca455728a9f23089f94a7d622ad8d500ebb7ad9f97e65a

Download Submit
\Windows\SysWOW64\Bmpfojmp.exe

Filesize
120KB

MD5
7645d5aba671f86fb49c72adf9ddb2db

SHA1
e3278a077c449c4e100929ef9112f9c419c2a94c

SHA256
0bdc78f594b56330819b772a9ba550d7c2366e74ac37288074c79881f2253e6c

SHA512
58fb337095456bef10cb5b38f19ad1e2fa3aa91e37609c6aeb452ca7f2e577bb5c94f10297d29ed2acaf6b20b4062119e36725c182ca3c64658863b8fe7bb217

Download Submit
\Windows\SysWOW64\Ccngld32.exe

Filesize
120KB

MD5
ce478b5630c4228c6b72f8213ee08819

SHA1
7b6cf8616708e4eb7d7eabdf13ed22dd5dd2e771

SHA256
3fe59fc5a43c81fdb9a199f14d7f79bde72f70ac686f965049a26c6bcfc98df4

SHA512
310900f1bee170534d4080187a4ab23136a9f2832c817cdfc7b1f71a1a8677c5e97187a43c39838e94c4ffa3144a41dac92086bfc3aa706b1b8d707fc0dd1968

Download Submit
\Windows\SysWOW64\Cnobnmpl.exe

Filesize
120KB

MD5
8c849a71103b047266100a49a618e90d

SHA1
55d8f79e96f7e5af7c91a0b113260c8fb09fbaed

SHA256
16d61358ff9ab2946405f42456558ac99158d1326e8abfe593a0df619b8c7745

SHA512
3d0ed6679b8a5289ec95a9ed1972044ec42cd16fb65494fd9f7cb17b20442d10e4fbbb3f179c8437d6d509877c07cb2ee1f0a3478218ceea2d0dad321fd90f49

Download Submit
memory/772-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-238-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/940-331-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/940-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-277-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/980-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-325-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/980-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-365-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/988-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-183-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1012-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-364-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1016-315-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1016-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-373-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1032-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-367-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1040-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-99-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1260-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-302-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1564-359-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1564-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-199-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1588-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-348-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1628-301-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1732-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-370-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1956-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-369-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1964-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-13-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2232-6-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2232-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-228-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2296-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-91-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2496-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-372-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2676-377-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2676-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-286-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2928-287-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2936-375-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2936-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-371-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2948-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads