c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f

Analysis

max time kernel
133s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
Size

63KB
MD5

d3a2311ccb26c5e5b9f04838cec67eb0
SHA1

8d113d513ce501cacd78decd3508a765144c6bb8
SHA256

c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f
SHA512

8285e8e8d1ed20141c97c4fd19049cd9b023b5c8f5cb055b72b76d09822b05e7ac039d9408e14e15d1b9f57f0abfb99a03c4945e9873518ace573e018fc711e2
SSDEEP

1536:D40KIBkm0jn8FAE6tj6m5IYcQH1juIZo:D4JIKm0AAE6tjoQH1juIZo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe

Executes dropped EXE 64 IoCs

pid	Process
3172	Ajckij32.exe
1084	Aqncedbp.exe
4564	Aclpap32.exe
2424	Ajfhnjhq.exe
1272	Anadoi32.exe
1056	Aqppkd32.exe
2968	Afmhck32.exe
4520	Ajhddjfn.exe
2116	Amgapeea.exe
4648	Aabmqd32.exe
1064	Aglemn32.exe
3152	Afoeiklb.exe
4988	Anfmjhmd.exe
4156	Aminee32.exe
4376	Aepefb32.exe
2652	Accfbokl.exe
1312	Bfabnjjp.exe
2784	Bnhjohkb.exe
4688	Bagflcje.exe
1276	Bcebhoii.exe
3896	Bganhm32.exe
3016	Bjokdipf.exe
516	Bmngqdpj.exe
3980	Baicac32.exe
4880	Bchomn32.exe
4144	Bffkij32.exe
4748	Bnmcjg32.exe
1128	Bcjlcn32.exe
2540	Bfhhoi32.exe
1368	Bnpppgdj.exe
3768	Banllbdn.exe
2520	Bclhhnca.exe
4392	Bfkedibe.exe
3424	Bjfaeh32.exe
3312	Bmemac32.exe
2256	Belebq32.exe
376	Bcoenmao.exe
2916	Cfmajipb.exe
740	Cndikf32.exe
2044	Cabfga32.exe
3536	Cdabcm32.exe
2924	Cjkjpgfi.exe
3496	Cmiflbel.exe
1820	Ceqnmpfo.exe
4104	Chokikeb.exe
3640	Cjmgfgdf.exe
4180	Cmlcbbcj.exe
1712	Cdfkolkf.exe
2432	Cfdhkhjj.exe
3540	Cnkplejl.exe
2848	Cdhhdlid.exe
2016	Chcddk32.exe
2964	Cmqmma32.exe
4672	Ddjejl32.exe
4460	Djdmffnn.exe
548	Dmcibama.exe
4584	Danecp32.exe
5100	Ddmaok32.exe
4512	Dfknkg32.exe
4380	Dmefhako.exe
3292	Delnin32.exe
1900	Dhkjej32.exe
1968	Dkifae32.exe
916	Dmgbnq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amgapeea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
692	2492	WerFault.exe	163

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3172	2680	c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe	85
PID 2680 wrote to memory of 3172	2680	c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe	85
PID 2680 wrote to memory of 3172	2680	c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe	85
PID 3172 wrote to memory of 1084	3172	Ajckij32.exe	86
PID 3172 wrote to memory of 1084	3172	Ajckij32.exe	86
PID 3172 wrote to memory of 1084	3172	Ajckij32.exe	86
PID 1084 wrote to memory of 4564	1084	Aqncedbp.exe	87
PID 1084 wrote to memory of 4564	1084	Aqncedbp.exe	87
PID 1084 wrote to memory of 4564	1084	Aqncedbp.exe	87
PID 4564 wrote to memory of 2424	4564	Aclpap32.exe	88
PID 4564 wrote to memory of 2424	4564	Aclpap32.exe	88
PID 4564 wrote to memory of 2424	4564	Aclpap32.exe	88
PID 2424 wrote to memory of 1272	2424	Ajfhnjhq.exe	90
PID 2424 wrote to memory of 1272	2424	Ajfhnjhq.exe	90
PID 2424 wrote to memory of 1272	2424	Ajfhnjhq.exe	90
PID 1272 wrote to memory of 1056	1272	Anadoi32.exe	91
PID 1272 wrote to memory of 1056	1272	Anadoi32.exe	91
PID 1272 wrote to memory of 1056	1272	Anadoi32.exe	91
PID 1056 wrote to memory of 2968	1056	Aqppkd32.exe	93
PID 1056 wrote to memory of 2968	1056	Aqppkd32.exe	93
PID 1056 wrote to memory of 2968	1056	Aqppkd32.exe	93
PID 2968 wrote to memory of 4520	2968	Afmhck32.exe	94
PID 2968 wrote to memory of 4520	2968	Afmhck32.exe	94
PID 2968 wrote to memory of 4520	2968	Afmhck32.exe	94
PID 4520 wrote to memory of 2116	4520	Ajhddjfn.exe	95
PID 4520 wrote to memory of 2116	4520	Ajhddjfn.exe	95
PID 4520 wrote to memory of 2116	4520	Ajhddjfn.exe	95
PID 2116 wrote to memory of 4648	2116	Amgapeea.exe	96
PID 2116 wrote to memory of 4648	2116	Amgapeea.exe	96
PID 2116 wrote to memory of 4648	2116	Amgapeea.exe	96
PID 4648 wrote to memory of 1064	4648	Aabmqd32.exe	97
PID 4648 wrote to memory of 1064	4648	Aabmqd32.exe	97
PID 4648 wrote to memory of 1064	4648	Aabmqd32.exe	97
PID 1064 wrote to memory of 3152	1064	Aglemn32.exe	98
PID 1064 wrote to memory of 3152	1064	Aglemn32.exe	98
PID 1064 wrote to memory of 3152	1064	Aglemn32.exe	98
PID 3152 wrote to memory of 4988	3152	Afoeiklb.exe	99
PID 3152 wrote to memory of 4988	3152	Afoeiklb.exe	99
PID 3152 wrote to memory of 4988	3152	Afoeiklb.exe	99
PID 4988 wrote to memory of 4156	4988	Anfmjhmd.exe	100
PID 4988 wrote to memory of 4156	4988	Anfmjhmd.exe	100
PID 4988 wrote to memory of 4156	4988	Anfmjhmd.exe	100
PID 4156 wrote to memory of 4376	4156	Aminee32.exe	101
PID 4156 wrote to memory of 4376	4156	Aminee32.exe	101
PID 4156 wrote to memory of 4376	4156	Aminee32.exe	101
PID 4376 wrote to memory of 2652	4376	Aepefb32.exe	102
PID 4376 wrote to memory of 2652	4376	Aepefb32.exe	102
PID 4376 wrote to memory of 2652	4376	Aepefb32.exe	102
PID 2652 wrote to memory of 1312	2652	Accfbokl.exe	103
PID 2652 wrote to memory of 1312	2652	Accfbokl.exe	103
PID 2652 wrote to memory of 1312	2652	Accfbokl.exe	103
PID 1312 wrote to memory of 2784	1312	Bfabnjjp.exe	104
PID 1312 wrote to memory of 2784	1312	Bfabnjjp.exe	104
PID 1312 wrote to memory of 2784	1312	Bfabnjjp.exe	104
PID 2784 wrote to memory of 4688	2784	Bnhjohkb.exe	105
PID 2784 wrote to memory of 4688	2784	Bnhjohkb.exe	105
PID 2784 wrote to memory of 4688	2784	Bnhjohkb.exe	105
PID 4688 wrote to memory of 1276	4688	Bagflcje.exe	106
PID 4688 wrote to memory of 1276	4688	Bagflcje.exe	106
PID 4688 wrote to memory of 1276	4688	Bagflcje.exe	106
PID 1276 wrote to memory of 3896	1276	Bcebhoii.exe	108
PID 1276 wrote to memory of 3896	1276	Bcebhoii.exe	108
PID 1276 wrote to memory of 3896	1276	Bcebhoii.exe	108
PID 3896 wrote to memory of 3016	3896	Bganhm32.exe	109

C:\Users\Admin\AppData\Local\Temp\c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
"C:\Users\Admin\AppData\Local\Temp\c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\Ajckij32.exe
  C:\Windows\system32\Ajckij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\Aqncedbp.exe
    C:\Windows\system32\Aqncedbp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\Aclpap32.exe
      C:\Windows\system32\Aclpap32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        71⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        72⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        73⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        74⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 428
        75⤵
        Program crash
        
        PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2492 -ip 2492
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
63KB

MD5
2986eb99eefc194a999dba0003fbe314

SHA1
4ecbab39a375925231603d05bb79d1a374e84563

SHA256
c9d4414897779f89383850aad9d8b7ae49a5da85ce74d673052df10eacd64dc8

SHA512
d2fd16238e5f7a9e2320a30918bcda8ea8e4705e8ac7a324d91197f52c24a23c50fd19df76fd9fcb32e67107fe4fa2ea043527d1644421c67c5846bed5b792c8

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
63KB

MD5
b01ca23223df71fcd08913b1391ebe8a

SHA1
abe1773b31162f959ba3ac1f48ccd6419dc677fc

SHA256
1ce74bb39a03d0f3bd426c9fafc6e8f55866ea530d93f2a67cc5f5d72e215d02

SHA512
93c7afa98e88a0cd74dce841a4c95c186d2f1b67f2a43fe8e2263d9f654267c51cecf91e6d328f9f74bb5cfd3720a2766a614a430c91c343aa876ec32a323849

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
63KB

MD5
370b69c408caa003904e2e863fb8769d

SHA1
721cf3a7c1cb3b2867079d93c60b8c2f5d70d2ab

SHA256
72aac2e3cb871a3a319e6e46535d7d51d04adb9c95cefbd6be4dda73119b78cf

SHA512
a573caee7ce45187c0599c33be9c81336b541a6244ac36097cc51e059b397dd03e87d4f0a7379af4dd8d5f15279635c825d906f2d954ea187355eb385ce4f322

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
63KB

MD5
7abc691e215629174755313948853d2b

SHA1
5150232f66441fd9cdb01cf3dbaa616a6bfaa7b7

SHA256
b11d1e0588f48a6dde6b3b0e8d53c3e0492d49e46729d6d6471c13bbc157a481

SHA512
090f7e043647ccdecd025b5efc2edd8a40a381bf8527e2506504e5a0220aa3e646044d8b4ad47f17c9c33bbebf1c7590ad8d5d9ef79f38ab61e73c4f67815827

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
63KB

MD5
b5b83d9bf623a738c6dd2ef3885f243b

SHA1
0346ac41386f0b9a93b0fd20c09307ccd9956c43

SHA256
38e1ab97dfae232d1134f63559ea2025a55b32e0915c3eec6d24535023fbf80d

SHA512
ae4d9fa9acaa0c90166c4beabc9be28eba9277b80a39cd80194324ade0e301237633b8f2ab29a9a4bc53baadb65007f0d1ad045f44c3210794ebf0d16f2fbf4c

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
63KB

MD5
093c023d38dcd6557924edac7ef2f5fc

SHA1
96ceed91456effba78fc550a6e64da744450c004

SHA256
bef4d5af121f8bfde26f81595ad050fc8b14173e5a18c62190d16206f24fbde0

SHA512
a9cbef8fc7b45607685c1318cb733136431aaf602cccdd9cd791febbbc3104272ce390f06be462637f5a1fe29bcda4dbfcfcdf3371c88600938302e25a6d70a3

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
63KB

MD5
5a32860041fde4d09982d569f48c1b74

SHA1
f8b6f613c438b75bc36f279fbea457fd306d64ad

SHA256
bc56d484ff22d848d94d6e3845ab5b57fa03bef08c5d3cce10722c92b9320da6

SHA512
bc6bff6279a4dd765a360e443783562cf0c30882631e233f6e3349e1061d704dc2cf8e71d453dba8f7d4007833fdb862529606988f35699afc7c49d38883f79c

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
63KB

MD5
7194acb9ed6160f0a7c83c27b218e5a3

SHA1
b3a90fc413ef9889116c380cf8a01ee678484e1b

SHA256
699fc6316e6aa6e2d292bf603822a51f46ba36d3c777a19a55cb342c719ab62b

SHA512
b16fdcb454b2ed52b2406a977b5311b3abf6f82d4f60fa2bcebb678b727f4c1f98d5b37f99ca0a214822ed3d97fe05077e586351ecf7447447c0fd842d59f60f

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
63KB

MD5
284065d111c7101cee584f8a2f599a36

SHA1
4f6202fb7ebaa94084c8c91642655fa51b836940

SHA256
8ade7ad0eff33620f8b8f285fae431886c7b4f63104a3538677b6e915fee0723

SHA512
8f088465380cb74e019bc8ce323e00483418f652f92f818f2b63092536a40fb9a658f4a8e00e028204a2125ad246f5352266abc3f27047088aee8a691026b642

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
63KB

MD5
6af3755e2eadae816fd1a4027a75c593

SHA1
f3d6bc0b3d350d9d6bc2849cb41571a1c7da8311

SHA256
5b4a009df2e40b874a3391edd0c8b3195694cbbaf8f3ad62d1360dbad8858907

SHA512
7e733af08bab21505f441c078d2b4aa3f8bd557484d181ca86452686a0896acf4db40876f386d9d4a35828e25201c9d2565ec188268511df9cc3da7eea30d681

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
63KB

MD5
973d6ee21252954b720780764435a021

SHA1
6fee900a37574adec91c0da2331bbbf8781a3070

SHA256
4a36b8d82dad5e46c785804fa90bfb21330db56611c8b988acd01b30d35fe043

SHA512
d678aef2fedc18441635229e0910ebac4caaa475bf5989e14e6d1ab9a8d23e924d4b01c8909e2676c9cb299690252ef4e3c3b5dd7ac2fc9214a37ad9745da8cd

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
63KB

MD5
0ee9b3f0ca8e682b13f87039dcc04f8a

SHA1
51c69da55da3d2cd17388b22f4f1e1144c079af7

SHA256
c7e76a13adefff70d7dccf2c807ff1856ced718df20b1440aaa2c34b512b5943

SHA512
dc342d1a991709a6223448e6942784ab0147c1cb164b707e9eaa4db489deccb435a9f2cca388a386da6b028384efa7ead449abdc46a84c8144cf8a64fb381ec7

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
63KB

MD5
44e9577f536da851339f7d8f12309f20

SHA1
729e923ee669c7031829d10652135230384c9715

SHA256
22bc690b468a63cd84dbcb372cb89239a61d0295bac4ff8b095ec4f03bb34bbc

SHA512
17287ebf5add9ecb7c5ad782dd39d8ffa6fff72a88931d1024a1e84b1ed5f305f0513e90e3758fb88d7d6be2bc055e6eccd117c0ff53fa0b411cf4525bcd19e4

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
63KB

MD5
4fe6f4d132677f1bf1f1782a2350071e

SHA1
c51af4219ce80f3430aa848421c452ac61a63ada

SHA256
7404f2fb3ceebf45e71019197511ba3bc47ea4d0bd46d3ff2edb70064ae33bee

SHA512
bc1bf4fee19a6353256fe83c1ab0d0a317c2988ef499f4a97d7284a4ead8a668999fe44f5b971de60db7cb24689f2bc8a3741741c68cb98ef716df58d2375517

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
63KB

MD5
4975b9f075127c34132bba607f78fd5e

SHA1
4084880bcfd71ded87183f57e51e02ffad8c2f97

SHA256
35a1203f90c13d559bc3f9410ab4d0749880109f515be71c374fea183b66fc4a

SHA512
597429c97ebf3f2441f2f00ba5487958ad54ca6a9f81f76545fa090c11a6f80597f71f9ee4dcf113d8557d4d56e0176b5be6fb6d4de7dfdea75692fac7fd9e21

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
63KB

MD5
54c1c23048431022b07eb5049a068e90

SHA1
00d2425d87f6e2080bef2ff143ab735ce2b46237

SHA256
a9bea5b47f85a3921d27d4a4e207d549c31934b374602faeea37c2fc01544415

SHA512
963a151e8f979698ce7404a3c255b9cfb4f426a3f0737c647b6c56ced9abb85c3c201b5fb8ff023df646835803680443992f058426af27779e2a655417a0c536

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
63KB

MD5
ff418145f558ab65b3ca989f08fa6fc6

SHA1
4c31be33a57b99d509da0c0ecb99cb5a22180f9b

SHA256
7c699f624d1c28123c63421f848d716259c326a24ba28f74af5358cb3cb8571c

SHA512
b6d1434b01d87e1b1569e532824eae7196da2f46f655ebedb3080440a7d492ef091afa44583928197b1ad509faa25593745106e7feaf2146f360cfbb9be8c463

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
63KB

MD5
bbadaad6d88a350eb33aedf9fa02a848

SHA1
9a5173b35bf9302bccaaf8df7d39e3c97a4dc70f

SHA256
9a6d4b53db2b7a43b5ea989e6eaedced91037c08e432ae9002358709858eb5b1

SHA512
64662dad913c3cdc5eeaf217d5fb21128e32c1d485193d4008fd26d905ea3a1a1142865ab9d397f8a06ab9b8c5b34bc0a56fea9bb9dc31745b5207d2db6590db

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
63KB

MD5
3a67d1eb99a8efd172865936a0116658

SHA1
8dc7e14f4be6476ccfa81d0c57f970d44a800cb7

SHA256
8030f395ce7c92648438844543ee8081c954b97c6c1e055ef0d2721dd23c076e

SHA512
0a060051f6549249eb1864560ceaeb8e906891cf93cab5c6119186919051b4ccb8b4b073fd9483ae545e89f5ec47fba18d0710da09094703c5cbd06b09ef4c18

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
63KB

MD5
92a6132ee6d1eec29d5534f46fac7547

SHA1
3a101ebf0845225943f868de4bb7f497da392134

SHA256
95989d4220f1957ce7c7b34282f7160711bd7be9b07489069d5fd1b97b0b89bb

SHA512
0369a009a5e2532a5fc7dd802baea91ce05137e159a3aa5bdc2e9901a9dccb7737c4089491d44929f47c3523f4a2f645b45dc7182c41ecea73abc69de334acfb

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
63KB

MD5
0be9a3bfb2babbf6eb9e16206caa4db3

SHA1
d9c38da1727dc5dce25f239de1de62f70f5ce20b

SHA256
c59b3512c3b29ed3e0403cbcb6da4a92f027fa750af582df4499c626a8256b90

SHA512
63b4d56cb345f68737d275caaf6e3be8f0db02628f36caf0f8bd5fc2ff8d996859b12d3047e5829b172e1aa78061cd52c06fa70f2232bf1ad8cb223c85f9940e

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
63KB

MD5
5ce42a98bd32382a08e1bcc0d1a988a5

SHA1
537a03f403460c2ab55b27b43df2af0bf80216e3

SHA256
1c8a79dff3bcc75ff55ba3d18a9516f1c84dd6d29dddec9d3f25da879001f003

SHA512
64a480574415c167c144755bdf9f2772cb538394d6d76bec37495670e1c9eb089ad3802a21525fcf79ed8287aee2f6e55c1763d57608acb2cc25a888db6bd790

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
63KB

MD5
538a0e243784a82073b70737cadb22fa

SHA1
556d2c079090059f909d6bb2fffb3f60aba196a0

SHA256
63fbcbb3fa5758e42f4811172a4c767edb23a507d27a8c82c889327fbc736413

SHA512
2c3c0ebd0c1cddb7fca9f9fc2b5364ad7b9c8ef6dc4aeaa9d6acd671c369b4a49ab9d827a821712972018dd74e99a534e4c9d056e70ab0e8fc8a4254c2363467

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
63KB

MD5
87057508e89185c16b79546acc5ee798

SHA1
a5d60972ce1b647b620bf18d9dd28061c616df0f

SHA256
94b44239cc147d4281ff83d2ec96ed023d30a0d69d0a70041362d8b686eeb8cc

SHA512
1afad193fe81f8c121282283bb954a5e9a06607aaa727ab6e344d4888f1f76290d058c9bd76c5b02d71ade3c98566683145f1750bfafaf9ff81c7c6e21a4d80d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
63KB

MD5
86287da9f349383d25b25f319b13eb0b

SHA1
bccf3343ab6f0bad73abfaab2ed37e039cda63a2

SHA256
e0109799e41e01ec05830c310249ee610feeefb19a00ea18c3194cb1efcc0d31

SHA512
d3a802171642db6a68e19438c849e6286c991646a1d214439b519ad54b107b067a1006727e37062f2befdbe58032d75490f50add44394a104dad3aef4c4796fc

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
63KB

MD5
14373bd2ef1fe2794b47ee459baf70bf

SHA1
02958cbcef60da74a3748ab2af54c8b86f0c843b

SHA256
b30b93c362d0b3bc9b28e5a7b96f4ac435b43382736234e4cda7eddcebac0b39

SHA512
588e962ac384d0e936d14249c31b00a8fb0e24d0530c1a140e2e58b9f3ec9ae12fbbb61c99cce76fc1e3cabffc5563caff05b9d1df9a064a0adb240d4295791e

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
63KB

MD5
8d01de5d4338e56f7de15cdeec0faa41

SHA1
88433dabee64f7e088abf04f8fdae351841f6d04

SHA256
d62c1fb4ec123c472fe07be81923e2171571b21aaab0768be4ad626c5f2116ef

SHA512
4ba3cfa14fb313ab522752e5afb546774ed5a0c1b5cf1b7eeb156b7a57de801379fec6f3f878e0cb8119507ac45cc71dd7b9da63de0dfef7a1bf5956a047839d

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
63KB

MD5
4a3231ce36b60b72d51b0a1f9a0c7d26

SHA1
26ccc244db785feec4ed214e44a0059771573634

SHA256
18e6fb6fe5ae58ec322b2534918f5badae0a3c6ba0941795d7bdab39e29b1c84

SHA512
56d12b20de0697c409b19e5362475a6200b9c94901597a3d39b4c5d37db65bb9303bcd4581b04583961ab42e6468d369dd0878611d699bb82fa528c8debcf325

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
63KB

MD5
aba1717c374d5d73355c0ec14d56d961

SHA1
decd70c4bcdb2f2b779b3c8eb0dfb67af0b630c7

SHA256
c5c5b5c136d748715bcbcb931636858fee0a3ca4c59f5effe6dde0d45dc2ed1f

SHA512
cd17e7997f2aa333532c1cb8f00e9324a6bfde2f9ade37114c69e92498941a4eb7836939c0110dd4bfc3fe952f022a12c57e29ec406ecd5849eb17be3fcc5628

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
63KB

MD5
7236647680b4c15d7e85508715586ef5

SHA1
a4986327d607d1fcd1e79347daa8ce335778be16

SHA256
cb6a4aec2ed1b72f13b3b4151b7612e761552fa8ddf159aaf9e855c1aa85a0ee

SHA512
d715d2cbf3229c344994830f6171fb8e7ddf9ab40df736095903f47a478f861c8fe8dd105b6812a88ded0973d2a648448c0c4314f27f348353d422e6bf0dbef7

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
63KB

MD5
20adf378d0431abb8e8540edb5508092

SHA1
1d9d43e70c79833febb8acd249774a10b6dfc08d

SHA256
01215a655f528d19dd306e898993143b2ad27a219444c5d73ad570f3c58671d4

SHA512
9ff0d5e492c55c849ef78a3bccde563068e5ab93247848fb2fb7af9ee126c66f623680a115d7a1671746152d9e82aba117dae9d40d68004aa0d3f771efdfa77c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
63KB

MD5
a0b8d203ead83b2584757c2e560382a8

SHA1
5c2a0edb0c34f0e3c3084422e804632f658b3b23

SHA256
ceffedd257bc0fc412a43269e5b35a6004ca5cb2281a4adf3bf8a8126f7b4406

SHA512
3cfbf958a60a1442889e47b2f1e02af9fa3e6b7b6767458e25d32d50c1ae5f769595ba706f027e585b70ba45fd44039915499e1dfa0c2474203dfdc09f5ee4d7

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
63KB

MD5
1f2865f394de838474a1ca3e3e3d7305

SHA1
da529b9928ced37bd6167869b330e53bcb03ff2b

SHA256
cfbebf3ca013fb5c3474f098b891d2a17313cb96ca2ebcaac2148bb2d0991a07

SHA512
47856ff4b7311067f5dcf8cd1953a3ad990acce9bc582de8d0a8d329990648730c422407566182a3fb35743a3ee885184c1428edeea4f40e1bd30deeb5bc6e5e

Download Submit
memory/376-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-77-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-5-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/2784-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4460-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4460-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4564-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-523-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-529-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4880-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads