69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be

Analysis

max time kernel
146s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
Size

2.5MB
MD5

cf6c55b539d6347cce94908db7566731
SHA1

e3764226427ed387bae959d4ba039a51ea08a825
SHA256

69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be
SHA512

d403f9c4db91379467ef6c01121ff56a5084d721359ae6d6e5a5c20efd967a5fa37efb52de6dbe3ef4a0402a47dc732c2d0ec6bef9650685c6ef9685845fc692
SSDEEP

24576:fZwPgsaDZgQjGkwlks/6HnEpFsaK2cWfVaw0HBFhWof/0o8:fCPnaDZvjG0DnNaK2SQU0o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apcfahio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaefjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjndop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dngoibmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banepo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banepo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dngoibmo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Begeknan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailkjmpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkfjhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcqpmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Claifkkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhooggdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bokphdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beehencq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdooajdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdakgibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmonbqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmonbqk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdadamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdadamj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccfhhffh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Copfbfjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qaefjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ailkjmpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bloqah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkfjhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clomqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Comimg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bokphdld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beehencq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bghabf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcqpmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clomqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqelenlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjlgiqbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adhlaggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Comimg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkeib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Claifkkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhlaggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apcfahio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bloqah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Begeknan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdakgibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbmjplb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfinoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfinoq32.exe

Executes dropped EXE 43 IoCs

pid	Process
1464	Qaefjm32.exe
2328	Qhooggdn.exe
2908	Ajphib32.exe
2636	Adhlaggp.exe
2700	Ajdadamj.exe
2676	Apcfahio.exe
2432	Afmonbqk.exe
2672	Ailkjmpo.exe
1484	Bokphdld.exe
2736	Beehencq.exe
1324	Bloqah32.exe
2900	Begeknan.exe
1652	Bghabf32.exe
1584	Banepo32.exe
2080	Bkfjhd32.exe
2084	Bdooajdc.exe
656	Cjlgiqbk.exe
584	Cdakgibq.exe
2404	Cjndop32.exe
412	Ccfhhffh.exe
1872	Chcqpmep.exe
1492	Clomqk32.exe
1564	Comimg32.exe
2832	Cbkeib32.exe
1092	Cjbmjplb.exe
1436	Claifkkf.exe
2844	Copfbfjj.exe
3004	Cfinoq32.exe
1364	Chhjkl32.exe
2920	Ckffgg32.exe
1608	Cndbcc32.exe
1616	Ddokpmfo.exe
2620	Dgmglh32.exe
2652	Dngoibmo.exe
2556	Dqelenlc.exe
2668	Dhmcfkme.exe
2884	Dkkpbgli.exe
2156	Hpapln32.exe
2492	Henidd32.exe
1664	Hlhaqogk.exe
2264	Idceea32.exe
684	Ioijbj32.exe
1456	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
1972	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
1972	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
1464	Qaefjm32.exe
1464	Qaefjm32.exe
2328	Qhooggdn.exe
2328	Qhooggdn.exe
2908	Ajphib32.exe
2908	Ajphib32.exe
2636	Adhlaggp.exe
2636	Adhlaggp.exe
2700	Ajdadamj.exe
2700	Ajdadamj.exe
2676	Apcfahio.exe
2676	Apcfahio.exe
2432	Afmonbqk.exe
2432	Afmonbqk.exe
2672	Ailkjmpo.exe
2672	Ailkjmpo.exe
1484	Bokphdld.exe
1484	Bokphdld.exe
2736	Beehencq.exe
2736	Beehencq.exe
1324	Bloqah32.exe
1324	Bloqah32.exe
2900	Begeknan.exe
2900	Begeknan.exe
1652	Bghabf32.exe
1652	Bghabf32.exe
1584	Banepo32.exe
1584	Banepo32.exe
2080	Bkfjhd32.exe
2080	Bkfjhd32.exe
2084	Bdooajdc.exe
2084	Bdooajdc.exe
656	Cjlgiqbk.exe
656	Cjlgiqbk.exe
584	Cdakgibq.exe
584	Cdakgibq.exe
2404	Cjndop32.exe
2404	Cjndop32.exe
412	Ccfhhffh.exe
412	Ccfhhffh.exe
1872	Chcqpmep.exe
1872	Chcqpmep.exe
1492	Clomqk32.exe
1492	Clomqk32.exe
1564	Comimg32.exe
1564	Comimg32.exe
2832	Cbkeib32.exe
2832	Cbkeib32.exe
1092	Cjbmjplb.exe
1092	Cjbmjplb.exe
1436	Claifkkf.exe
1436	Claifkkf.exe
2844	Copfbfjj.exe
2844	Copfbfjj.exe
3004	Cfinoq32.exe
3004	Cfinoq32.exe
1364	Chhjkl32.exe
1364	Chhjkl32.exe
2920	Ckffgg32.exe
2920	Ckffgg32.exe
1608	Cndbcc32.exe
1608	Cndbcc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bloqah32.exe	Beehencq.exe
File created	C:\Windows\SysWOW64\Hkfmal32.dll	Clomqk32.exe
File created	C:\Windows\SysWOW64\Qhooggdn.exe	Qaefjm32.exe
File created	C:\Windows\SysWOW64\Mjccnjpk.dll	Ajphib32.exe
File created	C:\Windows\SysWOW64\Ailkjmpo.exe	Afmonbqk.exe
File opened for modification	C:\Windows\SysWOW64\Cfinoq32.exe	Copfbfjj.exe
File created	C:\Windows\SysWOW64\Omeope32.dll	Chhjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmcfkme.exe	Dqelenlc.exe
File created	C:\Windows\SysWOW64\Ddgkcd32.dll	Dqelenlc.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Aofqfokm.dll	Ajdadamj.exe
File created	C:\Windows\SysWOW64\Bokphdld.exe	Ailkjmpo.exe
File created	C:\Windows\SysWOW64\Qoflni32.dll	Comimg32.exe
File created	C:\Windows\SysWOW64\Mcbndm32.dll	Ddokpmfo.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Bghabf32.exe	Begeknan.exe
File opened for modification	C:\Windows\SysWOW64\Bkfjhd32.exe	Banepo32.exe
File opened for modification	C:\Windows\SysWOW64\Ccfhhffh.exe	Cjndop32.exe
File created	C:\Windows\SysWOW64\Idphiplp.dll	Beehencq.exe
File opened for modification	C:\Windows\SysWOW64\Cjbmjplb.exe	Cbkeib32.exe
File created	C:\Windows\SysWOW64\Cndbcc32.exe	Ckffgg32.exe
File opened for modification	C:\Windows\SysWOW64\Beehencq.exe	Bokphdld.exe
File opened for modification	C:\Windows\SysWOW64\Cjndop32.exe	Cdakgibq.exe
File created	C:\Windows\SysWOW64\Cjbmjplb.exe	Cbkeib32.exe
File created	C:\Windows\SysWOW64\Chhjkl32.exe	Cfinoq32.exe
File created	C:\Windows\SysWOW64\Apcfahio.exe	Ajdadamj.exe
File created	C:\Windows\SysWOW64\Iegecigk.dll	Begeknan.exe
File opened for modification	C:\Windows\SysWOW64\Cbkeib32.exe	Comimg32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Bdooajdc.exe	Bkfjhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dgmglh32.exe	Ddokpmfo.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Dkkpbgli.exe
File created	C:\Windows\SysWOW64\Adhlaggp.exe	Ajphib32.exe
File opened for modification	C:\Windows\SysWOW64\Cdakgibq.exe	Cjlgiqbk.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Qhooggdn.exe	Qaefjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajphib32.exe	Qhooggdn.exe
File opened for modification	C:\Windows\SysWOW64\Adhlaggp.exe	Ajphib32.exe
File created	C:\Windows\SysWOW64\Cbamcl32.dll	Claifkkf.exe
File created	C:\Windows\SysWOW64\Pdfdcg32.dll	Ailkjmpo.exe
File created	C:\Windows\SysWOW64\Gncffdfn.dll	Bloqah32.exe
File opened for modification	C:\Windows\SysWOW64\Chhjkl32.exe	Cfinoq32.exe
File created	C:\Windows\SysWOW64\Begeknan.exe	Bloqah32.exe
File created	C:\Windows\SysWOW64\Qaefjm32.exe	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
File created	C:\Windows\SysWOW64\Maomqp32.dll	Cbkeib32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Dkkpbgli.exe
File created	C:\Windows\SysWOW64\Keledb32.dll	Cfinoq32.exe
File created	C:\Windows\SysWOW64\Ipdljffa.dll	Cndbcc32.exe
File opened for modification	C:\Windows\SysWOW64\Apcfahio.exe	Ajdadamj.exe
File created	C:\Windows\SysWOW64\Ffakeiib.dll	Bdooajdc.exe
File created	C:\Windows\SysWOW64\Comimg32.exe	Clomqk32.exe
File created	C:\Windows\SysWOW64\Cdakgibq.exe	Cjlgiqbk.exe
File created	C:\Windows\SysWOW64\Iiciogbn.dll	Cjlgiqbk.exe
File opened for modification	C:\Windows\SysWOW64\Copfbfjj.exe	Claifkkf.exe
File opened for modification	C:\Windows\SysWOW64\Ckffgg32.exe	Chhjkl32.exe
File created	C:\Windows\SysWOW64\Dgmglh32.exe	Ddokpmfo.exe
File created	C:\Windows\SysWOW64\Lbjhdo32.dll	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
File opened for modification	C:\Windows\SysWOW64\Afmonbqk.exe	Apcfahio.exe
File created	C:\Windows\SysWOW64\Beehencq.exe	Bokphdld.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Dqelenlc.exe	Dngoibmo.exe
File created	C:\Windows\SysWOW64\Dkkpbgli.exe	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Mghjoa32.dll	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hlhaqogk.exe

Program crash 1 IoCs

pid	pid_target	Process
632	1456	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll"	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Comimg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll"	Ajdadamj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beehencq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banepo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apcfahio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkfjhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll"	Cbkeib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddokpmfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccfhhffh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbkeib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll"	Banepo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Claifkkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qaefjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdadamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll"	Bloqah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll"	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfinoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbpqb32.dll"	Bokphdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bokphdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bghabf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkfjhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdakgibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll"	Begeknan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfinoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdcg32.dll"	Ailkjmpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjlgiqbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bokphdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkpbgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Begeknan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdooajdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckblig32.dll"	Chcqpmep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbmjplb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Claifkkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll"	Ajphib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ailkjmpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beehencq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll"	Copfbfjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajphib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adhlaggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjndop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdakgibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqelenlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1464	1972	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe	28
PID 1972 wrote to memory of 1464	1972	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe	28
PID 1972 wrote to memory of 1464	1972	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe	28
PID 1972 wrote to memory of 1464	1972	69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe	28
PID 1464 wrote to memory of 2328	1464	Qaefjm32.exe	29
PID 1464 wrote to memory of 2328	1464	Qaefjm32.exe	29
PID 1464 wrote to memory of 2328	1464	Qaefjm32.exe	29
PID 1464 wrote to memory of 2328	1464	Qaefjm32.exe	29
PID 2328 wrote to memory of 2908	2328	Qhooggdn.exe	30
PID 2328 wrote to memory of 2908	2328	Qhooggdn.exe	30
PID 2328 wrote to memory of 2908	2328	Qhooggdn.exe	30
PID 2328 wrote to memory of 2908	2328	Qhooggdn.exe	30
PID 2908 wrote to memory of 2636	2908	Ajphib32.exe	31
PID 2908 wrote to memory of 2636	2908	Ajphib32.exe	31
PID 2908 wrote to memory of 2636	2908	Ajphib32.exe	31
PID 2908 wrote to memory of 2636	2908	Ajphib32.exe	31
PID 2636 wrote to memory of 2700	2636	Adhlaggp.exe	32
PID 2636 wrote to memory of 2700	2636	Adhlaggp.exe	32
PID 2636 wrote to memory of 2700	2636	Adhlaggp.exe	32
PID 2636 wrote to memory of 2700	2636	Adhlaggp.exe	32
PID 2700 wrote to memory of 2676	2700	Ajdadamj.exe	33
PID 2700 wrote to memory of 2676	2700	Ajdadamj.exe	33
PID 2700 wrote to memory of 2676	2700	Ajdadamj.exe	33
PID 2700 wrote to memory of 2676	2700	Ajdadamj.exe	33
PID 2676 wrote to memory of 2432	2676	Apcfahio.exe	34
PID 2676 wrote to memory of 2432	2676	Apcfahio.exe	34
PID 2676 wrote to memory of 2432	2676	Apcfahio.exe	34
PID 2676 wrote to memory of 2432	2676	Apcfahio.exe	34
PID 2432 wrote to memory of 2672	2432	Afmonbqk.exe	35
PID 2432 wrote to memory of 2672	2432	Afmonbqk.exe	35
PID 2432 wrote to memory of 2672	2432	Afmonbqk.exe	35
PID 2432 wrote to memory of 2672	2432	Afmonbqk.exe	35
PID 2672 wrote to memory of 1484	2672	Ailkjmpo.exe	36
PID 2672 wrote to memory of 1484	2672	Ailkjmpo.exe	36
PID 2672 wrote to memory of 1484	2672	Ailkjmpo.exe	36
PID 2672 wrote to memory of 1484	2672	Ailkjmpo.exe	36
PID 1484 wrote to memory of 2736	1484	Bokphdld.exe	37
PID 1484 wrote to memory of 2736	1484	Bokphdld.exe	37
PID 1484 wrote to memory of 2736	1484	Bokphdld.exe	37
PID 1484 wrote to memory of 2736	1484	Bokphdld.exe	37
PID 2736 wrote to memory of 1324	2736	Beehencq.exe	38
PID 2736 wrote to memory of 1324	2736	Beehencq.exe	38
PID 2736 wrote to memory of 1324	2736	Beehencq.exe	38
PID 2736 wrote to memory of 1324	2736	Beehencq.exe	38
PID 1324 wrote to memory of 2900	1324	Bloqah32.exe	39
PID 1324 wrote to memory of 2900	1324	Bloqah32.exe	39
PID 1324 wrote to memory of 2900	1324	Bloqah32.exe	39
PID 1324 wrote to memory of 2900	1324	Bloqah32.exe	39
PID 2900 wrote to memory of 1652	2900	Begeknan.exe	40
PID 2900 wrote to memory of 1652	2900	Begeknan.exe	40
PID 2900 wrote to memory of 1652	2900	Begeknan.exe	40
PID 2900 wrote to memory of 1652	2900	Begeknan.exe	40
PID 1652 wrote to memory of 1584	1652	Bghabf32.exe	41
PID 1652 wrote to memory of 1584	1652	Bghabf32.exe	41
PID 1652 wrote to memory of 1584	1652	Bghabf32.exe	41
PID 1652 wrote to memory of 1584	1652	Bghabf32.exe	41
PID 1584 wrote to memory of 2080	1584	Banepo32.exe	42
PID 1584 wrote to memory of 2080	1584	Banepo32.exe	42
PID 1584 wrote to memory of 2080	1584	Banepo32.exe	42
PID 1584 wrote to memory of 2080	1584	Banepo32.exe	42
PID 2080 wrote to memory of 2084	2080	Bkfjhd32.exe	43
PID 2080 wrote to memory of 2084	2080	Bkfjhd32.exe	43
PID 2080 wrote to memory of 2084	2080	Bkfjhd32.exe	43
PID 2080 wrote to memory of 2084	2080	Bkfjhd32.exe	43

C:\Users\Admin\AppData\Local\Temp\69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe
"C:\Users\Admin\AppData\Local\Temp\69311bc5dd223e597c7189d61b9eddeb4a494a224f5b1f9562f30a3188ff38be.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\Qaefjm32.exe
  C:\Windows\system32\Qaefjm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\Qhooggdn.exe
    C:\Windows\system32\Qhooggdn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Ajphib32.exe
      C:\Windows\system32\Ajphib32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Adhlaggp.exe
        
        C:\Windows\system32\Adhlaggp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Ajdadamj.exe
        
        C:\Windows\system32\Ajdadamj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Apcfahio.exe
        
        C:\Windows\system32\Apcfahio.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Afmonbqk.exe
        
        C:\Windows\system32\Afmonbqk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Ailkjmpo.exe
        
        C:\Windows\system32\Ailkjmpo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bokphdld.exe
        
        C:\Windows\system32\Bokphdld.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Beehencq.exe
        
        C:\Windows\system32\Beehencq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Bloqah32.exe
        
        C:\Windows\system32\Bloqah32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Begeknan.exe
        
        C:\Windows\system32\Begeknan.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Bghabf32.exe
        
        C:\Windows\system32\Bghabf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Banepo32.exe
        
        C:\Windows\system32\Banepo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Bkfjhd32.exe
        
        C:\Windows\system32\Bkfjhd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Bdooajdc.exe
        
        C:\Windows\system32\Bdooajdc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Cjlgiqbk.exe
        
        C:\Windows\system32\Cjlgiqbk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Cdakgibq.exe
        
        C:\Windows\system32\Cdakgibq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Cjndop32.exe
        
        C:\Windows\system32\Cjndop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ccfhhffh.exe
        
        C:\Windows\system32\Ccfhhffh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Chcqpmep.exe
        
        C:\Windows\system32\Chcqpmep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Clomqk32.exe
        
        C:\Windows\system32\Clomqk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Comimg32.exe
        
        C:\Windows\system32\Comimg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Cbkeib32.exe
        
        C:\Windows\system32\Cbkeib32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Cjbmjplb.exe
        
        C:\Windows\system32\Cjbmjplb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Claifkkf.exe
        
        C:\Windows\system32\Claifkkf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Copfbfjj.exe
        
        C:\Windows\system32\Copfbfjj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cfinoq32.exe
        
        C:\Windows\system32\Cfinoq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Chhjkl32.exe
        
        C:\Windows\system32\Chhjkl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ckffgg32.exe
        
        C:\Windows\system32\Ckffgg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Cndbcc32.exe
        
        C:\Windows\system32\Cndbcc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ddokpmfo.exe
        
        C:\Windows\system32\Ddokpmfo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Dgmglh32.exe
        
        C:\Windows\system32\Dgmglh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Dngoibmo.exe
        
        C:\Windows\system32\Dngoibmo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Dqelenlc.exe
        
        C:\Windows\system32\Dqelenlc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Dhmcfkme.exe
        
        C:\Windows\system32\Dhmcfkme.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dkkpbgli.exe
        
        C:\Windows\system32\Dkkpbgli.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        44⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 140
        45⤵
        Program crash
        
        PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmonbqk.exe

Filesize
2.5MB

MD5
a1952faee51c8d146a3634cfbf234316

SHA1
4340f631036ca4c98bc81a9f4f3a43947a2527b7

SHA256
86a93ee3fe9f8e5b36d2f0fade3d3b0de01e3fc750c09bc125b0ee17a58c4c0e

SHA512
62c7acdc0039238665fb5f5eca03f4310fe66bea36472eff498833087528c321178299e03fbabc00c80241a7d25de942446d07dc6b7d33c45612d8fdf9b90ffb

Download Submit
C:\Windows\SysWOW64\Ailkjmpo.exe

Filesize
2.5MB

MD5
f67638ec2ec4e33e279705c013a6832a

SHA1
5a780fe157fe6a9da05181b59d36ef68cc3f35fa

SHA256
41462495745862f00031309eb66e70895c6e19f988a3c6e401fea711d5e973cb

SHA512
afecaff0bba26fe6ab8f3d982ba5beaf5ba1f226aaf8360383fb8eabb8ccb5bcb3349231d4243db8d26edc1134083cc29755964135941bb6fe32eac0bfcd6b66

Download Submit
C:\Windows\SysWOW64\Ajdadamj.exe

Filesize
2.5MB

MD5
e83d3f65c76465ba825edb4a76b13ac2

SHA1
b0cfe2b80340f6ae8488c63b348854ecb843fbb6

SHA256
1fc3cb563497d3edfa21e655bb155ff455e905645068c723dca4816e3f85876f

SHA512
a1e5a7792ab5dd20f4f891c9b0fb3382bb70e9f220300153cc7e1935b945727369f2edb73ff54ec60100098a544e9c04752a3d379ad2191cead0bbd478427195

Download Submit
C:\Windows\SysWOW64\Apcfahio.exe

Filesize
2.5MB

MD5
e5d5f6aa301585edfefa2dde5c2e907a

SHA1
83d2765f9a3e1e84ff17cd25801f1a216551b187

SHA256
9513d00cfe95bced9cbff6cdfff9cacdccba180e4ed3ec4e2f996c35c639d206

SHA512
995d1c0f6926210e1105565715311536a558d677f340ee074e8fd6b783804619c9b2421345b7a0e7540c9abbfae2c71102991c3dd9bed156748c0730c35b9547

Download Submit
C:\Windows\SysWOW64\Banepo32.exe

Filesize
2.5MB

MD5
ca52403b99739c9a162ae870aebeaf92

SHA1
433041594ad86709aa97b5b5282767967f8cc2fa

SHA256
1c4041ef4d3288442b33ad10ef59ff204148ccf45511fd2989d9590e5895ae41

SHA512
a27bba2afc53c0446f363fed02871f6a69f0d42f63228e149fe762496735ac392d0391e7451be2f037dfbd24b624f6404cf87fc12499f9f037350993941770cc

Download Submit
C:\Windows\SysWOW64\Bdooajdc.exe

Filesize
2.5MB

MD5
0b8789859aef31b9619e5305ad3f9415

SHA1
839448951cf260acccfbb5de4b0445c57bcd2442

SHA256
e078eacc1dcbd1c4c68fe0aa337fb3c9e1ec2c91e9f2f367bb849f79feba1d19

SHA512
bc1001d46f487952d71c50c7f17bb26fc19553cf613fe39b01b874a2e686607754edb01dd61aead33e1f92ce7ecfdb0685db2d298ff6127b024d4b45347a956d

Download Submit
C:\Windows\SysWOW64\Beehencq.exe

Filesize
2.5MB

MD5
440c98fe478b4747507107843b5cb065

SHA1
15905bd57136cfecbc2303b0545799062f6c95db

SHA256
24f2c21a68b2957b6cca9b6308412b7d3e69b401e9c9a3734d55646a021fbb7a

SHA512
0ca8d90f32215f819e71307086dc78edd7775309d6a1ec59844370ee3c2b441bd0c3b20242fdd22baac2f22f2183c0d96ee9bdc46008fa2f126b4e313a287c80

Download Submit
C:\Windows\SysWOW64\Begeknan.exe

Filesize
2.5MB

MD5
f63f9fe0215e5b5e2f1e6709101c6856

SHA1
0000db899b420ffc35e60436978b76d97818e6af

SHA256
a66fe3567d9e140347ceba42fab9c8d5a103cdb58c048033bf1c60027e513c44

SHA512
b2f09cefe688f6ffa5568d70ecec3d5b026afafc054303e94dec19e733c3a2cdcc64f6568de74adea8e16c0ea924f034cbcdcf439d24b4d484e4057a8920072d

Download Submit
C:\Windows\SysWOW64\Bghabf32.exe

Filesize
2.5MB

MD5
1dedc49460ef45513dc174b4751b0f0b

SHA1
e679cc546659f1aff1ffabf7a16be76df813b88c

SHA256
7cd94e5bfd85a6f2f5d1984eeabf31ca160db0abcce19f00920cfab08c7cf9e2

SHA512
f5f90b24d5085b8546a18d6b2cf258aab86368fe25e2161a7f0eaeeef770578d63215fc23eab3019c20947c15bfcedce32bf7b5255d44176f5a23c144c6cf17f

Download Submit
C:\Windows\SysWOW64\Bkfjhd32.exe

Filesize
2.5MB

MD5
2395698c8e41bc7dcacd58584a8df8a9

SHA1
d3387bc91ab2b8b1152d007188dcc3c3edd78073

SHA256
ee8a8a4ec6f0c26978fec9bb41424f8a4075482284c36a49278613ef00a1184f

SHA512
ffeab589c2d2fa85a6b34389c4e6071d8bf1cf7d0f35eba846e39f6ca91ca01c44c90a851563e54bbeb0a4560c328c15c5bba7ac7f0aab1d498d23dd65f2f2b8

Download Submit
C:\Windows\SysWOW64\Bloqah32.exe

Filesize
2.5MB

MD5
163e6dc59b2350032f117eff2de937a1

SHA1
53f1e6872f6fedb00fab76ca5480a000a8c6b01b

SHA256
a0fec30ef6ec60c6421457ef986a72d50f2eb1a3b964ee1c0f457dd8a60a0003

SHA512
d7df0d50b2fcf7a21c8bbe35f7e636b6a9994d2906bce8eaee2aefc03818711fa47a629d899e18e3d23c73fa36e8229427d7ec9c0f70377b224f5c564bfc918d

Download Submit
C:\Windows\SysWOW64\Bokphdld.exe

Filesize
2.5MB

MD5
cef2c561c0a4339dba8296c16112f207

SHA1
deb9f61a3af5fa465f24e1b9df72aece8a0e0295

SHA256
907dcdee179511adee363ae5f78dcec4127ce214cde0873a9c72886e51cb42ff

SHA512
71fc4ca17a08947647687af5ee01d4a649a7a283fcc7225569e5ac46f65153318a1fb16cde32379bc9a62abe68cd95a7e1b95fd4f59280c7e1cfadb5623a7fc5

Download Submit
C:\Windows\SysWOW64\Cbkeib32.exe

Filesize
2.5MB

MD5
85cfc8ffdfee062dea63795eb4f2569d

SHA1
6726e332628d6210909984758ea06b6b166dff33

SHA256
d0c3e794ddc53135446a4cef50a97be6827256fe37272c7e5eef1376ebdd1b72

SHA512
13f239b6317408e2b0e4357c63191537112b0a6f9b33ca936ea622a3c67f613a18ffce2e2db4fdd21063c3df8e923c178aa58f0f2730e851a8088ed448bc75c1

Download Submit
C:\Windows\SysWOW64\Ccfhhffh.exe

Filesize
2.5MB

MD5
7d917ef27511754ba2b8a380255360cf

SHA1
9594c8d7aa6107c4a7e4a8751cb0539b63ed317d

SHA256
c6c1d1c242a5a03ab94dae7ecec037dcc3e3a025e1c5b3384b171250fedeb6d6

SHA512
d749d7bc946889a58302d487e0345b38511dd904b1f55a9e1309e873cccd833d2f8321080445db15c49396b89e1428ee00106ec32f7898c6b6461382f446ab99

Download Submit
C:\Windows\SysWOW64\Cdakgibq.exe

Filesize
2.5MB

MD5
fc070174a75b9a063c5734ff4db06fec

SHA1
ddadd2657d97d43c877e9a9c5d0dd6425e3c7f2e

SHA256
0d600757dd5f8b080c40c23e4482c1381d35d116334024f423f42fe0fe89b2d1

SHA512
d8480a3c4a3689c883c1b53441af7bc2484c811f205a357ca6d9aba9cd93f47226a5980c9a1d57d5d96fdc655a605cf4dc56856634fde6032c55f61c660561e9

Download Submit
C:\Windows\SysWOW64\Cfinoq32.exe

Filesize
2.5MB

MD5
8afaf68b05a578b80ed08b4640839895

SHA1
d0797e3d8d1726583539d4ac435d2a15d8a0f83e

SHA256
e685f1a5ad0d2b522bdd96cab0cdd1a5dcc88ab5a2eebae71422c02ba8a333ef

SHA512
b037814bbfb5e43127303634dfbecb40ac97982282f077fa967c37b2f26204511d1e9c8e228de17630ff543be5b826b81fa1747e950bb930820269b61e9e0d36

Download Submit
C:\Windows\SysWOW64\Chcqpmep.exe

Filesize
2.5MB

MD5
ba834eec7497e01f996c625284a8c221

SHA1
72edbdc8c551e25f8020e272ffdb00cf77551b60

SHA256
820479cf259242b3e257d664d216ad457ce00df14c2a98f2b9da1ce18900ff96

SHA512
d2103b9a30ef7cead0299f227fb5361d94669d7d049ca3f7e62f02021039cc5d904be7bb118777e066ed96cbd04b9511ccb2cb3c3d3d0949fe5b6fbf24036828

Download Submit
C:\Windows\SysWOW64\Chhjkl32.exe

Filesize
2.5MB

MD5
3d2f32c047700110e8a762d7c3c2f37c

SHA1
6350b32c59717c536a5a4766369690ba6ce3d6e8

SHA256
1f039f9c965430b4c796bb730bc1314e1ee94cac2ed5ef86d98a4c7ed1550db2

SHA512
000198e20daf59dbdc3b30ea141cccf4c3d8aa415b776d6c46c18c051542617e703c54013692eee1e3262587fa5418f0c6f72459c816e8fc5e44d2416d86d2d0

Download Submit
C:\Windows\SysWOW64\Cjbmjplb.exe

Filesize
2.5MB

MD5
ff4970559b09f7a5fe458f097a4e537f

SHA1
ea6ff3a8d9dabf22de7571b4abc412297fa24bf3

SHA256
6a6ebc29bedfe540b2942d12d01e90be61b35c352f257938d01cda78411cf7f0

SHA512
986999e825256e8d19558e8944e0680c8237de6250cba76c49b76d27f98f62c0e3f719ccbe2fec78cf15f8df663a14e48290a75d8b6179d48778af188d988c7a

Download Submit
C:\Windows\SysWOW64\Cjlgiqbk.exe

Filesize
2.5MB

MD5
bee9cc03b653169782ff348b47e7d253

SHA1
d95f1b1004a3ab552479e615fea5f86b0172639b

SHA256
7dd526a3025c074e9087c00dc69842385b110f968d8afe2afdd3e80bccb7f3e4

SHA512
ec9e98c93baef3e67bff7c7440b2ac7497ea072804ac7fddc79de8bb17d3612bdbfc97b133a7a860b1ad3347dca20813fadc3b20b8fba5c9465a1814daac4d91

Download Submit
C:\Windows\SysWOW64\Cjndop32.exe

Filesize
2.5MB

MD5
dcbd03af295991e6b05c7cbe8b155ef8

SHA1
9601b6ff8ba5fe2ceb8a5336ccd22e2a76cc213c

SHA256
554393868f733a697a112477235cc172d233506bad4b2faf80b0849c1f74728a

SHA512
a5b6acf57b8afce7cd15e8d93ee3686655c742bd6f2b27a5051edb8d0c0a639b3e607506b83e3273bd429e2ed97336aca16070d282a4834a7c6c5666ff1f0b3c

Download Submit
C:\Windows\SysWOW64\Ckffgg32.exe

Filesize
2.5MB

MD5
d2f6d11f8971847a036cd1ffbb218326

SHA1
8143fbd731b14cf04b5ace12269cecb7c943e0f1

SHA256
f5d06992f65850121582c648ec30001f5f0195aefc6619cec952381978afc9ef

SHA512
08f35a82ec3cb2567a642efb9a06ce5e8f3fd7daabc71a1b960b1ed4dd59d4939ff320b6c22e5362e703ab3f38df5c5e8d98d42bff31303cddba17210299a7e7

Download Submit
C:\Windows\SysWOW64\Claifkkf.exe

Filesize
2.5MB

MD5
33456cac37d063769a4026923d0c95a3

SHA1
08018b3bed9beaab11049cd77865577aca87da58

SHA256
ee1fc7560a223069366ba050e6131400389d8e7c3d44a09cd1977c8d91682c9f

SHA512
9971c89c1d57b6b11c4616663d3fd77f2544660f0bb5e4d2341877685e6daa97c58586080589d2ad1660ec52ddf7c9d1d763faa4e66114192ee27d75ebc12838

Download Submit
C:\Windows\SysWOW64\Clomqk32.exe

Filesize
2.5MB

MD5
5b760ecf81cc2e3acf10f98c44bd89bf

SHA1
b27e1471d57f705b683bddc6f065d717c0c21f2a

SHA256
545400f5924550045636a9784d64f94cd39cfb2a4c35d8eb42ecfc6d3a675cc9

SHA512
5dd37accd1d108bd7bf71d8d19863cc1a0de5ce1ce5e0698b041a6c83342eac4641c3c4157aa8824071ecba38357841decc8d2596a01013be94be4944ee3fcac

Download Submit
C:\Windows\SysWOW64\Cndbcc32.exe

Filesize
2.5MB

MD5
af478832132f9948038be92c34aa9b6e

SHA1
a86d29d0c75d3ff207aaa14f744ff22d4781c7d5

SHA256
e8b2b1027b00ccfad988d7f47a22e67601a5971513fd0b615de36604b2b4f6cb

SHA512
dccb3d416f0b15fa7d000dc74e161c91ea51e4e5b7b52fe936796e1692588766038180433144032eb006718d6970acfa2c458401e8cf865763833f48edf25725

Download Submit
C:\Windows\SysWOW64\Comimg32.exe

Filesize
2.5MB

MD5
89f25fa9e35798a9835ba45565379d55

SHA1
d294957ba72c534a52f1a5dd8c3ef560a0da9627

SHA256
d408f0b0a1dcb6fd62f3ed3d3fd3fbfb1bf20523533ad88c2d5659ecdf589654

SHA512
e3cc69a61184e2770ad27faeee773989bdd1e0a7c346e7c63be4140a6e115e6a888bae39732c0496627ee18730f89456eab434e05f0df519a70bee567301e619

Download Submit
C:\Windows\SysWOW64\Copfbfjj.exe

Filesize
2.5MB

MD5
d9afcbae8f8c2f54b8a9a6dcf0c61e9c

SHA1
22f7b69640249ed69a5a8bc728669ec8b571f81b

SHA256
5c801f8c0140b3b6a067acd74334c6233860d26f62138b048b3db5332c3d146f

SHA512
89b624a68d5f5606ea077afbac929ccae992103aac8139c406e6efe8732f0c13b2bb9d181768e3275fc0376760a0e4350113d8069b37e9b206f0c5b128ff5cd3

Download Submit
C:\Windows\SysWOW64\Ddokpmfo.exe

Filesize
2.5MB

MD5
f2f79b6589cf55ba63b395d06ebd7c8c

SHA1
417e51b1ab0335502aa5771e57cc1dd58f80fb53

SHA256
aea652bf6e9ae609a6ad83f879bdaca8f7befc97451694abfef1d97fba7ca2ad

SHA512
de2e3f5ea0dfd8924f44f76a9b28f91b1b81b45861e608cce3dfb608c9a67775707998378ddc7c2dd777225051e864d818dfc4f67995a321a9a754a180526165

Download Submit
C:\Windows\SysWOW64\Dgmglh32.exe

Filesize
2.5MB

MD5
a3248671bf8b56222d39fea2e99c8d86

SHA1
bca4b2f5d94081ca38e06d4a21b3e07b9460c7bf

SHA256
a669715f51f3bb13b02c49fca90ec510b4824410ac85168153d69454bd9e7692

SHA512
93a1760f38122320dd29d79ad133671981af5ec04b1cb198f81e692b7443d820aba23119a1f2c46038a3c63935fa8420760d6f0c2172e9222be6c3069113ba03

Download Submit
C:\Windows\SysWOW64\Dhmcfkme.exe

Filesize
2.5MB

MD5
070e15fe0e5edc33b9bbd2670a5a251e

SHA1
59f05806cbb6ab8afa4aab2eacaf77fdc41d8f45

SHA256
64c90f285167923e0bb706ad978a7cd19a00eb9debe8f36cae4fc4bae7edc0cc

SHA512
b03b23df5a85b896761e296f9534a1cd1c5603b41431e37f0c49bc5161d6fd8cf0ad154d881775d99b7568c0c327209af044c5be98f67201c12937c3b60af40e

Download Submit
C:\Windows\SysWOW64\Dkkpbgli.exe

Filesize
2.5MB

MD5
416f58eaf63511203430d9fc672b9e01

SHA1
de1d8d9e0e8304b6393fda69ef25740a166ddb47

SHA256
795a8f0828881b95fb6824b4353ab127cd3544dc9edfde2dbb8b3d45fdd29f9e

SHA512
e5e5d1bf5fbc4969b1194f450d15823611248ed19f9d3e69acc06e6efd8f913d3c3a4d09662aa980a8c5292cbb627cee87c15de899dc6d42ea4a12f2c57b04cd

Download Submit
C:\Windows\SysWOW64\Dngoibmo.exe

Filesize
2.5MB

MD5
76b0654228c257f5f44d5787326856ea

SHA1
e96f853179abe4db036ef8df82d0ddfea2c7f9ca

SHA256
2abe41e5ea19c47fb49b430b63925336299dd5d151021137e36d05d7d35209d2

SHA512
c098a28430bf3a09a74f6125ca51c0517dc43da2d92d931433d4f979909c0667eab7a0864dc96b75c36a831f0f742ce8bd9bdce2e0ce8cda6cd5fe4cd259b6a3

Download Submit
C:\Windows\SysWOW64\Dqelenlc.exe

Filesize
2.5MB

MD5
0b354341a8d284d8283bb746651b4e7b

SHA1
8b623fbf6e492ad34e786b622430111d48cbc519

SHA256
c0029cc6b6185818c43d9ad77a5489032cbb851346978ddff70a74d506c308ff

SHA512
c5a0285919a559cdcbbe7386b14eef1d46fcb5dc9cfb86d54493919ed955f651c91908ade4ca5415084f56764726328e315f64a704c20cd85404adef1a3e4d08

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
2.5MB

MD5
2b3b3b2dc99e5e122bc35d7b1e7b2b74

SHA1
4aa0f4fd1a6f1159a3230ea1e175e6e1071cf257

SHA256
5a0414499e3160ebfbf65893695c2f38bc0d888843a31ee378fa665bff9a2f7d

SHA512
4d2f651c3781c0a45299951d8a6cdf405a01bb753575f9beedbbeee6df36d1a6ba602b364348974dcd55b914f479655faa950c18b19d0b123d31a5a295f0f659

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
2.5MB

MD5
9727b30f8407cb47bf8dc0908e066bca

SHA1
d97d4e2bf143c3de249ca3b2747e880738dd124a

SHA256
b981f9806d8df18b5ac016e0e259295b1ee0737eba3715f37988297729f57e68

SHA512
ccf507da8775da599b6480126a80d7ac6fb7f817e38f199f29c0dec163dbaaed127e65017280262eaf6fe303b19205c9a0497cefe9f4a13d03d484bb550a7cdc

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
2.5MB

MD5
66b087843feb984c3231669479872566

SHA1
c9725747ea9c4dff29a20ba712873f083817b57a

SHA256
6b3c25d01986ab7638023accccb4263cc26178a598a142b8321633400e537c07

SHA512
c9e8a3f3373c1b20a55fb13d13c2b33d4b3f2d1910319bfcae2644674ba76d78b2ee1fd9c22896ac16c2f89720100680bca6a1873d94d45b34844396358005fb

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
2.5MB

MD5
b9dfc495e3ac9298a20bcb650dfb58b6

SHA1
a96912db6853637b89748d4d1585192c35ac5f51

SHA256
ac28fb0b3ac110c2e6b62b0dc0ebd57629c33b41b197018fcf7dc642d7bbe519

SHA512
65b76547b5471d29f725d989c155435c96534bda65c5d0e746ae3090fc35b292724fcb9bd742178f10df31d0be1d42aa29228cc3f7ca6001ffc2cdd8f34a527d

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
2.5MB

MD5
a9a67d77143706072eeafdf45d37394b

SHA1
e529e91c5d65a4a39f590b5e884013b4a7ec7276

SHA256
0b2b29a97fc602ccf81760370b28864908b5ca059f46024f90611bdd9128db1b

SHA512
f8217ae6d7cdf535e20a45665ceed621d1ca33b82db4c5348166b1e4aa538a0279ce133b09e4c067e39799e1b5b69a012329afdf559df817e7067a32977f30c8

Download Submit
C:\Windows\SysWOW64\Iklefg32.dll

Filesize
7KB

MD5
7e8e7537e3900d874654b746ed9e31c9

SHA1
bab139317025a55e3b040786278c250983091161

SHA256
3429738793720f98f8e79fa0fafa7ab164757b76ff35f91ef80bb2e6684de2c9

SHA512
21af7b8002e6eb80102b2bc94ad6f7c1255e952c62cc4e4fab73cb4bd4625174aa7acd6a857bbd721d45abdf68c2568cd5f7176221e11645f341c63ec72e2ae1

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
2.5MB

MD5
a00e5d0efbc0436bfaba9a8a3c7580e8

SHA1
7597bdddac0809d81e7cb54b9a61945e4ed0e872

SHA256
e0e40174e398a1ef3b8449d04add48492d929787e1400d47a49eb1d599633861

SHA512
6360c8205f65a8c0c6ae38851ccb012b316ef360e18321967f1dee8a906670591ef649647b5b67af376052dcc29c1ed5c4531e6ae10e6f64864213c24afa4ec4

Download Submit
C:\Windows\SysWOW64\Qhooggdn.exe

Filesize
2.5MB

MD5
005250a4fe7be302e61d59d95d3b1585

SHA1
99c07a8831fd072fa9198b00b55f607121166dbc

SHA256
2610e9bdbb33ea52b161165b360aa9129901a31228092e06273c21f7a78f3c8d

SHA512
1f00b5d89cf1fde024770cecd637400d7e114798e26c58b7202081bb700776438212a8d4243ed4b60dbf471cc30aa2559d3dad96e67da0413734113de89c5e4b

Download Submit
\Windows\SysWOW64\Adhlaggp.exe

Filesize
2.5MB

MD5
78177d64ed8f4581416704eb0d78c98a

SHA1
c57c2d429819eeb88a4f2030d099eb8dab0c70e2

SHA256
34d9c23ea98aa99d27b691f218f561bd03cb364f490df7fd7fe972c2dc4fbb00

SHA512
4a2e896887342a136fbcd5cbb8f628f9d82437ad66a4a610ee9faba633322d90425bb3913065298393f836981aef4787d9357773efc45d5d73fed5ab6db7b91e

Download Submit
\Windows\SysWOW64\Ajphib32.exe

Filesize
2.5MB

MD5
08d49fcd2414402139e9c4227344c817

SHA1
36e58f8eb2d357617deeec414ad7aea242101937

SHA256
63345f85ba0fe7a09cccde6c5c7abca2a522c7e8a2886cae4f925c3e1e54a401

SHA512
6a12c75c7ed4e7b84b9e33027e9cabcd4d010412fb8e080f3e293315d86921d31976aef6a4d638224194ab0583bef7adc48fb50f58c4d8aff0d2312d66b6c138

Download Submit
\Windows\SysWOW64\Qaefjm32.exe

Filesize
2.5MB

MD5
24c0a78f5c536ad4d42342fb40bb2b17

SHA1
719bf4fc121688e60026b6cb5a82cbab4d241354

SHA256
8832470dc600735eeff492ad8702a48546b0c7b440038efc4c8447abdad81bf2

SHA512
47baf1efade5f4da0f22c2ea68c9dbafbd2fa62874db331553946c2c7d0639f68d0ce55c73a3a8d86fdb4d7e2aae4648ed6a340c217c340e5a885b5a796cf5bb

Download Submit
memory/412-448-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/412-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/584-444-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/584-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-442-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1092-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-458-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1324-395-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1324-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-396-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1364-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-466-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1436-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-460-0x0000000000770000-0x00000000007A4000-memory.dmp

Filesize
208KB

Download
memory/1464-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-31-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1484-383-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/1484-384-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/1484-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-453-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1564-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-436-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1608-470-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1608-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-471-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1652-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-420-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1652-422-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1872-450-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1872-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-451-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1972-6-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1972-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-438-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2084-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-440-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2328-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-446-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2404-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-61-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2636-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-373-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2672-368-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2676-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-456-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2844-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-462-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2900-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-415-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2900-406-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2908-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-468-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3004-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-464-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads