2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe
Size

94KB
MD5

a1e40acf4988edcd1da7efb780e3cfcc
SHA1

bae1a2c65823d4d4d61d66198776262577160a9c
SHA256

2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e
SHA512

6232d3da91f3b9767c55e545f68a6ecf6f9a9072bba3222c4e292b379daadfdb5da44fbcb78b5af45a55b74921d7cd25267570055b072426762ba6d2c79512ef
SSDEEP

1536:wPN+RiXDGms1mfFGtC2MfKT/1ZSs2LUaIZTJ+7LhkiB0MPiKeEAgv:wPgRiXDGmmc2eKCUaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabkbono.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abhqefpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Binhnomg.exe

Executes dropped EXE 64 IoCs

pid	Process
1160	Qiiflaoo.exe
1092	Qapnmopa.exe
3224	Qfmfefni.exe
3816	Qikbaaml.exe
4284	Aabkbono.exe
3432	Apeknk32.exe
3584	Acqgojmb.exe
2024	Afockelf.exe
3844	Amikgpcc.exe
976	Apggckbf.exe
3212	Abfdpfaj.exe
3248	Aiplmq32.exe
4328	Aagdnn32.exe
2836	Abhqefpg.exe
4616	Afcmfe32.exe
2224	Aibibp32.exe
2248	Amnebo32.exe
3696	Aplaoj32.exe
3444	Adgmoigj.exe
1612	Affikdfn.exe
5084	Aalmimfd.exe
4976	Adjjeieh.exe
3924	Afhfaddk.exe
4140	Ajdbac32.exe
3916	Bmbnnn32.exe
1544	Bpqjjjjl.exe
3864	Bdlfjh32.exe
1508	Bjfogbjb.exe
4496	Biiobo32.exe
3624	Bmdkcnie.exe
4312	Bpcgpihi.exe
4444	Bbaclegm.exe
2704	Bjhkmbho.exe
2924	Biklho32.exe
3240	Babcil32.exe
4540	Bdapehop.exe
1408	Bbdpad32.exe
4828	Bkkhbb32.exe
5036	Binhnomg.exe
2308	Baepolni.exe
2052	Bphqji32.exe
1428	Bfaigclq.exe
4716	Bmladm32.exe
4492	Bagmdllg.exe
2696	Bdeiqgkj.exe
2876	Bbhildae.exe
2968	Bgdemb32.exe
3404	Cibain32.exe
4548	Cmnnimak.exe
1056	Cajjjk32.exe
216	Cpljehpo.exe
2736	Cbkfbcpb.exe
3976	Cgfbbb32.exe
3804	Ckbncapd.exe
2276	Cienon32.exe
3756	Calfpk32.exe
4768	Cpogkhnl.exe
4684	Cdjblf32.exe
344	Cgiohbfi.exe
3572	Ckdkhq32.exe
4564	Cigkdmel.exe
4512	Cpacqg32.exe
668	Ckggnp32.exe
2716	Cmedjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Cpogkhnl.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Qikbaaml.exe	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Inmalg32.dll	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Aabkbono.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Adjjeieh.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Biklho32.exe
File opened for modification	C:\Windows\SysWOW64\Bfaigclq.exe	Bphqji32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Amikgpcc.exe	Afockelf.exe
File created	C:\Windows\SysWOW64\Ajbfciej.dll	Apggckbf.exe
File created	C:\Windows\SysWOW64\Aplaoj32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Biklho32.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Higplnpb.dll	Abhqefpg.exe
File created	C:\Windows\SysWOW64\Deiljq32.dll	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Biklho32.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Ghfqhkbn.dll	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Bjfogbjb.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Baepolni.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Affikdfn.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Bjfogbjb.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Dilcjbag.dll	Bdapehop.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Aagdnn32.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Amnebo32.exe
File opened for modification	C:\Windows\SysWOW64\Affikdfn.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Aalmimfd.exe	Affikdfn.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bbdpad32.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Aanpie32.dll	Apeknk32.exe
File created	C:\Windows\SysWOW64\Paenokbf.dll	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Glofjfnn.dll	Bmbnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Bkkhbb32.exe	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Defgao32.dll	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Amnebo32.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Mjaofnii.dll	Baepolni.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	Qapnmopa.exe
File opened for modification	C:\Windows\SysWOW64\Acqgojmb.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Acqgojmb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3592	4160	WerFault.exe	162

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll"	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apggckbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Cmedjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caaimlpo.dll"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll"	Adjjeieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphqji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Biiobo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adjjeieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babcil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1160	1516	2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe	84
PID 1516 wrote to memory of 1160	1516	2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe	84
PID 1516 wrote to memory of 1160	1516	2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe	84
PID 1160 wrote to memory of 1092	1160	Qiiflaoo.exe	85
PID 1160 wrote to memory of 1092	1160	Qiiflaoo.exe	85
PID 1160 wrote to memory of 1092	1160	Qiiflaoo.exe	85
PID 1092 wrote to memory of 3224	1092	Qapnmopa.exe	86
PID 1092 wrote to memory of 3224	1092	Qapnmopa.exe	86
PID 1092 wrote to memory of 3224	1092	Qapnmopa.exe	86
PID 3224 wrote to memory of 3816	3224	Qfmfefni.exe	87
PID 3224 wrote to memory of 3816	3224	Qfmfefni.exe	87
PID 3224 wrote to memory of 3816	3224	Qfmfefni.exe	87
PID 3816 wrote to memory of 4284	3816	Qikbaaml.exe	88
PID 3816 wrote to memory of 4284	3816	Qikbaaml.exe	88
PID 3816 wrote to memory of 4284	3816	Qikbaaml.exe	88
PID 4284 wrote to memory of 3432	4284	Aabkbono.exe	89
PID 4284 wrote to memory of 3432	4284	Aabkbono.exe	89
PID 4284 wrote to memory of 3432	4284	Aabkbono.exe	89
PID 3432 wrote to memory of 3584	3432	Apeknk32.exe	90
PID 3432 wrote to memory of 3584	3432	Apeknk32.exe	90
PID 3432 wrote to memory of 3584	3432	Apeknk32.exe	90
PID 3584 wrote to memory of 2024	3584	Acqgojmb.exe	91
PID 3584 wrote to memory of 2024	3584	Acqgojmb.exe	91
PID 3584 wrote to memory of 2024	3584	Acqgojmb.exe	91
PID 2024 wrote to memory of 3844	2024	Afockelf.exe	92
PID 2024 wrote to memory of 3844	2024	Afockelf.exe	92
PID 2024 wrote to memory of 3844	2024	Afockelf.exe	92
PID 3844 wrote to memory of 976	3844	Amikgpcc.exe	93
PID 3844 wrote to memory of 976	3844	Amikgpcc.exe	93
PID 3844 wrote to memory of 976	3844	Amikgpcc.exe	93
PID 976 wrote to memory of 3212	976	Apggckbf.exe	94
PID 976 wrote to memory of 3212	976	Apggckbf.exe	94
PID 976 wrote to memory of 3212	976	Apggckbf.exe	94
PID 3212 wrote to memory of 3248	3212	Abfdpfaj.exe	95
PID 3212 wrote to memory of 3248	3212	Abfdpfaj.exe	95
PID 3212 wrote to memory of 3248	3212	Abfdpfaj.exe	95
PID 3248 wrote to memory of 4328	3248	Aiplmq32.exe	96
PID 3248 wrote to memory of 4328	3248	Aiplmq32.exe	96
PID 3248 wrote to memory of 4328	3248	Aiplmq32.exe	96
PID 4328 wrote to memory of 2836	4328	Aagdnn32.exe	98
PID 4328 wrote to memory of 2836	4328	Aagdnn32.exe	98
PID 4328 wrote to memory of 2836	4328	Aagdnn32.exe	98
PID 2836 wrote to memory of 4616	2836	Abhqefpg.exe	99
PID 2836 wrote to memory of 4616	2836	Abhqefpg.exe	99
PID 2836 wrote to memory of 4616	2836	Abhqefpg.exe	99
PID 4616 wrote to memory of 2224	4616	Afcmfe32.exe	100
PID 4616 wrote to memory of 2224	4616	Afcmfe32.exe	100
PID 4616 wrote to memory of 2224	4616	Afcmfe32.exe	100
PID 2224 wrote to memory of 2248	2224	Aibibp32.exe	101
PID 2224 wrote to memory of 2248	2224	Aibibp32.exe	101
PID 2224 wrote to memory of 2248	2224	Aibibp32.exe	101
PID 2248 wrote to memory of 3696	2248	Amnebo32.exe	102
PID 2248 wrote to memory of 3696	2248	Amnebo32.exe	102
PID 2248 wrote to memory of 3696	2248	Amnebo32.exe	102
PID 3696 wrote to memory of 3444	3696	Aplaoj32.exe	103
PID 3696 wrote to memory of 3444	3696	Aplaoj32.exe	103
PID 3696 wrote to memory of 3444	3696	Aplaoj32.exe	103
PID 3444 wrote to memory of 1612	3444	Adgmoigj.exe	104
PID 3444 wrote to memory of 1612	3444	Adgmoigj.exe	104
PID 3444 wrote to memory of 1612	3444	Adgmoigj.exe	104
PID 1612 wrote to memory of 5084	1612	Affikdfn.exe	105
PID 1612 wrote to memory of 5084	1612	Affikdfn.exe	105
PID 1612 wrote to memory of 5084	1612	Affikdfn.exe	105
PID 5084 wrote to memory of 4976	5084	Aalmimfd.exe	107

C:\Users\Admin\AppData\Local\Temp\2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe
"C:\Users\Admin\AppData\Local\Temp\2cb312b41b32662815e2277c0f95340494e66f67734e16e08fb4d944ab338c4e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\Qiiflaoo.exe
  C:\Windows\system32\Qiiflaoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\Qapnmopa.exe
    C:\Windows\system32\Qapnmopa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\Qfmfefni.exe
      C:\Windows\system32\Qfmfefni.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        25⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        61⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        63⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        69⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        71⤵
        Drops file in System32 directory
        
        PID:472
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4288
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        77⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 400
        78⤵
        Program crash
        
        PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabkbono.exe

Filesize
94KB

MD5
de7bc403b12e8d2e84017e610c417d61

SHA1
37836f791ae16eb2ac91e310352acd1920733d15

SHA256
cd84218320ca922a8e092f930585da3c327824f66f0f497c947032fb95444b37

SHA512
20472f12a701b2319e36a3b293e0700130c1913562ea8a36436ef1ba09f0346ffc60599022c27219bff9a025b135db09533797d223ff3d90b34686a15e71387b

Download Submit
C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
94KB

MD5
ac8157eba1d93fb89350b8c5d68d160d

SHA1
5698ed03f703299b4582ac099a38d2d5b8338699

SHA256
a17cb711d803db2c36682b4fc265dba49db0e9d4e27d6d8086fa5c5e5cd74bd9

SHA512
a20852864a05a626d493ae9d2ea8c328333a4dd6eca9fecd546a337ff0dca58b711b3a6b5e71fcf6d5b685099641b77fd4ac91675cbdbf52f13d25a50d672c34

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
94KB

MD5
7ea4ed104821eae45c73b9392de995af

SHA1
0801740f987f2c4a1fadc94cc855e6b76e8dbdde

SHA256
2918675108ceade03b8a085801a0e093e5e444609128d877e88f4eebf4509db4

SHA512
bfdbeadeee0cd5d9ff813f1967384fc4678042e0eb6834856f05b3d5d91e419b54b46ba9941fd949fb6aa4851199db1b6274d632fcfba373d4a7cdbcbcd16301

Download Submit
C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
94KB

MD5
299fb2b0e6e9906a1c8a185a86640afa

SHA1
d3adebc559a5b3a8b20cc8464be7725025baaa87

SHA256
8d83132c86c1fde7283de4fa410d23e65d575558306d5bdf77b7cabd657c6c2c

SHA512
0f1eae3ac6d7bdf7bba3881542f05a08ca828f88c6a5cd3c05a8c45116abc530c21c284237399e0fc2731914b48c7b102335e04778f1749ad04048375160c9ce

Download Submit
C:\Windows\SysWOW64\Abhqefpg.exe

Filesize
94KB

MD5
d0c160c305de023b357d884adb4ed2a1

SHA1
ebc73d057f7b36523975dcd256e2aecdd647e589

SHA256
b09a7006c3b4e470ae4d909ce3f3f1914f2cddf954c69cfe1163b486b0fd9a5e

SHA512
de9bae190c993d122022e23800139213b6c290b1901e41eca2fb7dd5068492ca4b2802bbd1e0ba521b7e7099cbdb2e2957b87718347afba063b3d7dae758ae8a

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
94KB

MD5
4ee460741b44244ad9463b1c299cec5b

SHA1
a4a9b5f10778014dcb47d299413976e94b6e55b2

SHA256
9ecd21f11c4bcb70d1018fcca4404dd1ea1ff366a415889c0929ae6df7666c35

SHA512
884d903ec5835268184a9efb9b52c5bf766ccb3709a205bd457f5757eb97929cf6a3965a7a2476e73910ba93747d7e0bfe61708698f2e64a2dad61e8b6e60b6f

Download Submit
C:\Windows\SysWOW64\Adgmoigj.exe

Filesize
94KB

MD5
aad600ef7bbfb92f46d315cdc9ea3678

SHA1
02c106f88c914592fb2209fa8748437b2be2ae31

SHA256
ebe57805564cb12135bab381645e85057734ba711f7e1a86f01fdd4f0a7c0368

SHA512
74597229290e3a437b3206af96ca3c76d9c4aac3760e15c5265d02c28f7ed667b443330890e749fdca08740cb7dc74620c09c3ecbf4acb31c470c2bfc0982400

Download Submit
C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
94KB

MD5
95d33f8fcf0e4fa5c8dbd0a281cbaf7a

SHA1
cb25f45486204bf1f73d86f65ede990888b9a2e9

SHA256
96b5deb1da9fe4a320a5e2e5f006fe1e6e4f304d2a100547cd325a9937a600a9

SHA512
ce755f0450e9dd23f04e3280d2920ae91e6bc15aef0131012ac47531ccde7041b6f46303172b957a8da2c806a319348a501080fa23a9160c54f129508f268bdb

Download Submit
C:\Windows\SysWOW64\Afcmfe32.exe

Filesize
94KB

MD5
d6e9fc5a46bba9583492398015c45b55

SHA1
90c42c08b67ec2a05aa3fc78bf5dc6bb8c317e75

SHA256
810a0c421992dc2b388b33c640592d90b08fc5bec96373873d0c4e21f205cbc1

SHA512
92c85e600bb4df30078dd00887d193d6a8044145267355d44dadaa282a1b52b11d5fcdb2ed461260a2124141f3cb82d0b548710919a37c9908088c9d1bc74201

Download Submit
C:\Windows\SysWOW64\Affikdfn.exe

Filesize
94KB

MD5
7bdede16d77b514f47fe1a6bd35ea117

SHA1
5ebf44c445f0639874788e123ad277a61a6b1f4a

SHA256
e161358f48d969bc998183af85780126db16188b2dc7ecb1a007e25ac7fe32b2

SHA512
1f2951db26439ae9b551283e9059916bfab55eac92fc5aaef03a4109efc614737f015967dfdfef9ae722a6e5bcfe5bdc21fa477da8516adcdf7ab96149de6c8b

Download Submit
C:\Windows\SysWOW64\Afhfaddk.exe

Filesize
94KB

MD5
0d92677acb9409bd06d1fae33c06601d

SHA1
7c3b148435a7d325761eea394f7cbe770c0289dd

SHA256
1d5d685bc48e1d96e65e307de788dbf5f6f9f94415193e6f3dfa47995c335d2a

SHA512
01f122fd1258c3e665b2682c79c134da69eba12ce4a7f1d72a91b738cdd7a8c2dfeae00f33170a4b6f9e2903243dea61443cde9da9beab563d1267e16c7e931a

Download Submit
C:\Windows\SysWOW64\Afockelf.exe

Filesize
94KB

MD5
75665508799f5da8c58b060fdba63337

SHA1
d9569446a41dd98a6f9f43401786466cad2489f1

SHA256
365a2eeca1f6367945e4c04568229e9774c5dab63b474efaf9b67781075e33de

SHA512
0f1c69ae2e58e5a4e57adea82a16d4613c57af5b8ba87884a80c609e582b19fef55c1a2a9bd89e52f3c76c83d6be178d4a53c9708f3444181f194f9dafd4c87e

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
94KB

MD5
dc5732d275366d3b0ffd2c6d34fc8856

SHA1
7332b5a6ea717cd5236fe814eaef978a0f740a88

SHA256
1cb17b18313c4d7880368d8bc519689d0e0c5934e1f2c167d13b5dff7f490243

SHA512
e55f8e03181b7d49397850411815d56c989208656c163d7cb75e9ae8fdd217622c26b8a032dd9c042bedbd850ccb6c3b7867f7d0c907b10fdc10bbf26985f348

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
94KB

MD5
6681f87b365cc3806e4a68f540ee11ef

SHA1
085ba12cd0bd945896613c62073c7e2dc0f304e5

SHA256
488b1d29a4385400b8892f2767dfdeb68a27ba602f5480e5feb7833e7490f263

SHA512
917bb7db5330da63cf0c45772cb3a0c4226cd2292a0dd5f2ef9aa6ef3f80977a47c81e7f55d4d12650012a637db4b9dabab8c2a4df57816355ed9e3c521210e0

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
94KB

MD5
d25e45fe7d395d2e4a2f3ceab51da354

SHA1
224e8103384fd5ba15939d1356059e08b938cf66

SHA256
58b427c6f205f5b9f932b624de6f9006929884c1bd71d6065e978d2c1ee2f996

SHA512
93e65a72d99c6e1135520bb42cee6aa3011dd8730aca1c8dd97a620093a3096762aa956d9e16388d06cb37d535c72671c31fd52e4c76dc9df67697e549958131

Download Submit
C:\Windows\SysWOW64\Amikgpcc.exe

Filesize
94KB

MD5
610cc0d62492d69d7a6da92a971bf2ef

SHA1
486ec29b64c67ac77917d28f3db0afba6a3c0392

SHA256
970db5fd3896441bf591308525631341db1a46b9c10d16d897da0936d129c3ea

SHA512
68b2f89f34cd329343ce900ce73567fd769c5418aaddab8cc0a49842278f0fdd535c7bb0c394025c95d6d25e94a1e47642a88bca68fcfd3871f15c3ace5bd90e

Download Submit
C:\Windows\SysWOW64\Amnebo32.exe

Filesize
94KB

MD5
97563f260d32490bc9b716e96acd778f

SHA1
7678369e24a44e4a0af77da43d4cd02c62167d60

SHA256
7d223c4f175b3cad4093c1b49b41f769d17cd16b693308b5e05c41a9e37ecf13

SHA512
34aecdba16653e9907f8c9a086ac5f13a751f4aa511251c702716e4437f3b94b1961e35e40d932e855f2bc06767fdd5da45e5205e55b3064f91c82844e7db58b

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
94KB

MD5
ee9dcefb410663a306a99a4195895c7b

SHA1
492c691ccd492fcd05701f48faceaa9de87f5ee3

SHA256
61b9c0cc57652920d99653cc061d36ece26ab1465890b4c1898835e8cecaeb77

SHA512
e7bf6a5eeb972bdd16266327a6bee576582d2c503531f0fef0efd8cac755d9bb073293bfc4c94692dc3fdf6db3d619029f8c5865f76d89b6730c74fb43cf1c17

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
94KB

MD5
a27dcf3b283bdaabc94e635338f95930

SHA1
c8436358cb3c7e7077bf0db7a682d02b0513b237

SHA256
631b9f36e13a1871f08922671d2b7186220f00dc26f175e988570bee6435fa93

SHA512
47c0dfceb59e961fb01d53a33527430aaa71e408f71da599544de5259b0fea29ac0ab2905b9eda4746b5f0564ed96fc64d9074b90ddab9ae11d0e0cdad7cc3d6

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
94KB

MD5
b5136d412cfc6df1ce0b5a41e7d10b54

SHA1
1fb4303b69142d506bcd04c71b6dfb68d1f87314

SHA256
8808c4b15d09e49c96591541459c9e2085873b6914481b0db7e828a030ac1b8d

SHA512
d6583b34d6e1c244c4106fccb8a1ab6423ca96182aec8d3e5b13a46c913273fd44dda5859de173c31c2758d5bebf8343cc6fe71b0c9532e402ab10db2bdcb5d5

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
94KB

MD5
765a09ba5806d43fc73317b53eec61cf

SHA1
7684f226cee1f7cc53e8181a4ffa5107ace1b805

SHA256
eac874167ce509fcb3f800a4a5f6a700cd5a6bee592be208473db7a6736b4b1a

SHA512
cd373f42c17ece850a1d3a5016be91a8e5a649b11079f965e4cb27ccb7eef5e1745a5bb64ba4a4cd40306c8beccbfa0813845baa58e884f9c3eb6f19be555198

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
94KB

MD5
80cce48b8d889f523b33d7d0deb35c3d

SHA1
8058640f7f36e252ac45be0d7223e103a5c6b882

SHA256
76072bfa12b6ef10c219c69b0cf0a86a0b13c313e2b761119150253dd3f7f6b9

SHA512
45ff15aa7a8bde8147ec48dad6ac6cd148fdf8bf075a968776f21243e958cf08c863e6a117f62033703f11fd184ba26a152ae56a3acd040973d252ecaa0c7037

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
94KB

MD5
958b79ac8410a9f2135d604629aeafd6

SHA1
41369929a73c520f17fd731767a63705ed63be90

SHA256
999a40a5b01718c0fe270e2418489c9321862a0a9de9d07d81da397327d3836b

SHA512
47de98163c625e6beb502289aecab951fa8d7c721e6e2333dfa76c2f52c89088926841d39f97f559ff3b013f72648b55684277671726b59692beab4a464c77ec

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
94KB

MD5
54b9e15774b0b7ea32ff258e6fc7140b

SHA1
437245c70ae401464551a33f1b276843f296fbac

SHA256
3284a02959a13fa64bf32c9ac0c0edcca4d859c4777332208ee8fa6f5b379c36

SHA512
a1f35ee2f6571a5f402c1c37e71eab20034224ba5780fbceffc837c50100b0bdfa1a6d5c8db188869903beae77a677a9815499120dfd1243f4fb0b9927968705

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
94KB

MD5
caa216d2fe496b5725a5b9d07062f54a

SHA1
cb90d40382b05fe0a2ff185949767b6adeaa3efe

SHA256
1143790783bfd9fa5f3b587068c9b9ae46faa1be23340f04143b2207ce35f7a6

SHA512
4ab7c802ba48e17c0d28dd37275102cea7990aaf816fbd3ccdfa081493bba35d03941b63e4ccfcffe6a9d3f7b96dd6f9912c38893b6037ca353d5d190998022b

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
94KB

MD5
585f536f0241ae5d48192af92e57c044

SHA1
74b59ab8757d426dc7bf22e037e973a550f93be8

SHA256
eefc9b2034fcf7b818e1adbc6f0cf11cc5ff3d9550cab5b9da42530448447917

SHA512
cff8e192b92a1504eb075e3b1bb5e618ba6cc297a28a63fb5dd7a96096e996a11f0ab66f1a31c77845b28e42cca93240376ea5379197afa4ac2a1e26be88a325

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
94KB

MD5
050f6daf1f5a5e71fcee4aefe0e20254

SHA1
7261a8aab06653a11872a1d01fef2e48cfcd7ff7

SHA256
d9cd9b3bbf2f393e9dfe97b41f48933ffa7cd880f0d20ac64fcd2281c68792e3

SHA512
a76bc8d3676baee1060197800e02f14ca4dd838b7d08a96322013cabb478e084d972620ee2248fd9095e43e5f940d416039e898deb122605b5b75cc20ea629db

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
94KB

MD5
cec84b115e02b8039c1e91d8aa4fa9b9

SHA1
a6e9e85e8157a882802ace3910f006e2e28c47f0

SHA256
db96b729130f509aa478a162a7fc50124f10d093c5695a5e472dcd833916c5e5

SHA512
3c95424afe443a593c0d29f966b28eb9a28f41611bae5b9d23e16afadcec14dbf274b46de456d39e73da4f4faec751307374295cefbae375c9e01c0407ea7f04

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
94KB

MD5
3ed2495e0847f44adf86c89624368a86

SHA1
8d44476a9fa040048fbe515ae40fa6e6a88d8159

SHA256
ebfa3ae3806417632e047a6cb998f374f83db82df2ef8aa0e5b91eeeba5e314c

SHA512
e5eb08486f295fa26728c3d1cfa5def6e2caf65e2802dfcc1aba1b8a7403109fddfb37bb6fac2763888ebb3a025b780f06dc44c663a8dda8bf810329fec61e32

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
94KB

MD5
82f723b0062e913215ec83f96d5d62e4

SHA1
11e770414cf4e762ca63b60e42e999dbe486472f

SHA256
efd79466c19157eed0254c8809c2873ee67efd8508af9b91110169f6cbd5d00d

SHA512
00aaadb4ab8efb5ee5144c79181969618c31af20c1dc69d0ed1b633f4ba11ac4d60a388fd6e0cf335ca777fa47ce4d433426f5b8115168c86bca03b66f0c6864

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
94KB

MD5
5e9626d0ebc3f077f178de88758c62fa

SHA1
70a29c8c2759eb968619c77221dba9b0b43a0761

SHA256
256ee0cf97de03b913630652ab6cbef554f4b6800d409ac6c4bc7d1c0146cdab

SHA512
a3618e325701d1acf712151c34a283125877ba4f38d7cd09b7dfdc4e79beacf786bcbe4ca438dc6854cf12514f2a64c55bcc2caf4f65d347037a09497923a80e

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
94KB

MD5
9c72368929fc2b42fbfea5484df973fd

SHA1
34e6c6dc1c34a1e1219791274afc7097e8627618

SHA256
de6cfbabc02e11d9331234ad06e3c93ff854e95d0bae4290cc654a8e784c5c76

SHA512
bc78ef152e589e90fa34cbbf3c5c0f70c3e838a4df5b10991cf4b92a300493deaccbaccc225f7430692be8704e68df6d9e428db0c628f5e795b2f448c3c6cf64

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
94KB

MD5
30eaf37a0586f296a0ee573ea3fb6c4b

SHA1
4ca006e77b41f77e1b4b98e1f9983759da7c0316

SHA256
71b494ede58494aa2c166b1b667b8e0e09f6d2f0c7b804e0860df91f94a9507c

SHA512
c686d23b98994e3023409defa1bb3d5b5b43af45daf309c88a959d94be8061418cabe5df7fca8f51caf6496b68e18577aac70fea08145761b321e65aafa1fd47

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
94KB

MD5
0ca4205a55a86771935f10c6cf0f097e

SHA1
365126b6ab2958898dd44e6f3152211a4bb7f909

SHA256
b4b87a0124f4ad857734034e481c5cf60712d1d7cd16247bfca1696298667c2e

SHA512
31bf5cf65a396e300f04e847bf5aa0ed8d67103e6f5f8b44b8d24fa8f0f5b9a69ab7efefb65efa7f3a7bca5b48a6195230e3cafc49b8193aadb838db29dd8916

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
94KB

MD5
89a75f86e194a4be896460bec668c56d

SHA1
f4f5584c4764cf652fb40682e9867214e49be3db

SHA256
6ddfce7c2cb8f76cabeead471208dd52fab6356d242e84d68ca0c9049e363c0a

SHA512
e6719b6c188ea83bbc499623cca2ec732919e1a2a4b190b0351763d4b3abd7b9e502a44e4b3735ba8ed46436008c16f3658b4e07708e80a949089ae30336035b

Download Submit
C:\Windows\SysWOW64\Cpogkhnl.exe

Filesize
94KB

MD5
c563a32863e722c6bc07c5e5ebbe826b

SHA1
5a767650b62357d2aa5d409d89b4adb706bf5781

SHA256
ebfe7bc3b659dc36a44077dbc3e4fdb73d418ff3c0960be13710c6afc1843b79

SHA512
e7462d59a28a625fd00c1dde836a447ac27296d0b58c0c70721e99fa2919d772cda60e7308eee8080d95ff567c3e004ca65c03dcfd71a90986fe1f1d939f9c8d

Download Submit
C:\Windows\SysWOW64\Qapnmopa.exe

Filesize
94KB

MD5
8b0c4958522783a67fea6f7142338437

SHA1
3e3ff128b3009086097d84256807cc75da143201

SHA256
8b71ead63e1cb5a59dc248ad734d886a717236f73cd43d9944d182272fabe62c

SHA512
9824796d6df44a9c9c3b95868d9d1af5d0cc4a03da0fa3c3b712af892567357d52d0771117ef3c3fb92ca611c61f841889a26491954d5d607cd5158300993c57

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
94KB

MD5
d972088b25bac1a906cce19cc27c49b4

SHA1
d6cfb95914e56349289c74a526099816b131e1b9

SHA256
b05e66cfbdfb0895f10f5c81ede0bbc1ab879f9abdb715afddca7e46a3e610cd

SHA512
4111bde51d7adaee1b5a42177a3151c4d5c4445dea477c2ea9c9df6359dcbff554532eb31dcdf34c1b6bdf96155ddc57c6f0964bc5f7a9b7b312d9319c6cdba3

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
94KB

MD5
5b411705fd8e6727c83bceea3a53c04d

SHA1
3adb9e8b66fc2b1b1910256c33f701b9cd3d4cb6

SHA256
404a2ac8eff66a495fcdca5a0c877359131a8231942292fa57a6eae17ec4f7b1

SHA512
334c97b45b139869004beb50b319664011e840aab5b67616c3ed4bfb8d61b1d8973afa7a4757b5d6731e2a27b9de7ece39656ac6ff0894b6738b4fea07aa4483

Download Submit
C:\Windows\SysWOW64\Qikbaaml.exe

Filesize
94KB

MD5
0c33f61505348a044e6c5eb1cbb0d4f6

SHA1
56dc2c57447a136b961190fb9d3912dc4b4ebe6e

SHA256
c5bd44fc9d4b6b63a0675a150f8dd0102e7c89decfcbf0db9603f511d3e01daa

SHA512
a10f33850596671290d1e6151d0805614a635b6cc8a0965291ed2687a6fd2eb3d76890f48bea35406f8a8d0495d42f8bf7df0467aa99442c2620054a35ed23da

Download Submit
memory/976-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/976-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1160-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1160-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1428-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2704-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3240-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3432-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3584-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3816-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3816-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4140-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4140-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4540-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4976-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads