c8e9d09ad447ee95b879b7a55829d94a1aac2ecc6546942b9e08f7e3e5709088

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Size

399KB
MD5

a2113a088085d07d2d7688ab2b0914d3
SHA1

d782d1f3fac232b34cdde024b8bbfe2284f7ffe6
SHA256

a55fe6993340d8be732d319c53e0605173924f3496b139d17804802e4b2c8bbb
SHA512

8e5620596d0a998ecefd01a7ac37925590f5c327952d8da209a3a6d27f602cd673777740cc39a83ddab522752e346aeb59d0845319d47ed848ce9c773ee97cd5
SSDEEP

6144:pBQmrW2tgBdgzDEXE6NJsjwszqjwszeXwNJsjwszIjwszeXtjwszeXm:pBdc8sajMjejCjaj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Epdkli32.exeFacdeo32.exeIdceea32.exeBkaqmeah.exeCkffgg32.exeHmlnoc32.exeCjlgiqbk.exeGdamqndn.exeHgdbhi32.exePccfge32.exeFilldb32.exeBpafkknm.exeEloemi32.exeGejcjbah.exeGdopkn32.exeOkfencna.exePfflopdh.exe[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exePlahag32.exeCgpgce32.exeFmcoja32.exeGloblmmj.exeAbbbnchb.exeCckace32.exeHcnpbi32.exeOjficpfn.exeCjbmjplb.exeHenidd32.exeEfncicpm.exeDmoipopd.exeHnagjbdf.exeGhoegl32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdkli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaqmeah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckffgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjlgiqbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccfge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpafkknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eloemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eloemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfencna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfflopdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkaqmeah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpafkknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epdkli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plahag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpgce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plahag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbbnchb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpgce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cckace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojficpfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbbnchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjlgiqbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbmjplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccfge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojficpfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfflopdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmcoja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfencna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbmjplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cckace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe

Executes dropped EXE 32 IoCs

Processes:

Ojficpfn.exeOkfencna.exePccfge32.exePlahag32.exePfflopdh.exeAbbbnchb.exeBkaqmeah.exeBpafkknm.exeCjlgiqbk.exeCgpgce32.exeCjbmjplb.exeCckace32.exeCkffgg32.exeDmoipopd.exeEpdkli32.exeEfncicpm.exeEloemi32.exeFmcoja32.exeFilldb32.exeFacdeo32.exeGloblmmj.exeGejcjbah.exeGdopkn32.exeGdamqndn.exeGhoegl32.exeHmlnoc32.exeHgdbhi32.exeHnagjbdf.exeHcnpbi32.exeHenidd32.exeIdceea32.exeIagfoe32.exe

pid	process
2168	Ojficpfn.exe
2876	Okfencna.exe
2760	Pccfge32.exe
2744	Plahag32.exe
2576	Pfflopdh.exe
2840	Abbbnchb.exe
3044	Bkaqmeah.exe
2112	Bpafkknm.exe
2028	Cjlgiqbk.exe
3048	Cgpgce32.exe
2812	Cjbmjplb.exe
1924	Cckace32.exe
1296	Ckffgg32.exe
1960	Dmoipopd.exe
2036	Epdkli32.exe
484	Efncicpm.exe
844	Eloemi32.exe
1472	Fmcoja32.exe
2000	Filldb32.exe
1664	Facdeo32.exe
1204	Globlmmj.exe
1128	Gejcjbah.exe
2220	Gdopkn32.exe
576	Gdamqndn.exe
1108	Ghoegl32.exe
2880	Hmlnoc32.exe
1704	Hgdbhi32.exe
2620	Hnagjbdf.exe
2656	Hcnpbi32.exe
2928	Henidd32.exe
2644	Idceea32.exe
2640	Iagfoe32.exe

Loads dropped DLL 64 IoCs

Processes:

[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exeOjficpfn.exeOkfencna.exePccfge32.exePlahag32.exePfflopdh.exeAbbbnchb.exeBkaqmeah.exeBpafkknm.exeCjlgiqbk.exeCgpgce32.exeCjbmjplb.exeCckace32.exeCkffgg32.exeDmoipopd.exeEpdkli32.exeEfncicpm.exeEloemi32.exeFmcoja32.exeFilldb32.exeFacdeo32.exeGloblmmj.exeGejcjbah.exeGdopkn32.exeGdamqndn.exeGhoegl32.exeHmlnoc32.exeHgdbhi32.exeHnagjbdf.exeHcnpbi32.exeHenidd32.exeIdceea32.exe

pid	process
1912	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
1912	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
2168	Ojficpfn.exe
2168	Ojficpfn.exe
2876	Okfencna.exe
2876	Okfencna.exe
2760	Pccfge32.exe
2760	Pccfge32.exe
2744	Plahag32.exe
2744	Plahag32.exe
2576	Pfflopdh.exe
2576	Pfflopdh.exe
2840	Abbbnchb.exe
2840	Abbbnchb.exe
3044	Bkaqmeah.exe
3044	Bkaqmeah.exe
2112	Bpafkknm.exe
2112	Bpafkknm.exe
2028	Cjlgiqbk.exe
2028	Cjlgiqbk.exe
3048	Cgpgce32.exe
3048	Cgpgce32.exe
2812	Cjbmjplb.exe
2812	Cjbmjplb.exe
1924	Cckace32.exe
1924	Cckace32.exe
1296	Ckffgg32.exe
1296	Ckffgg32.exe
1960	Dmoipopd.exe
1960	Dmoipopd.exe
2036	Epdkli32.exe
2036	Epdkli32.exe
484	Efncicpm.exe
484	Efncicpm.exe
844	Eloemi32.exe
844	Eloemi32.exe
1472	Fmcoja32.exe
1472	Fmcoja32.exe
2000	Filldb32.exe
2000	Filldb32.exe
1664	Facdeo32.exe
1664	Facdeo32.exe
1204	Globlmmj.exe
1204	Globlmmj.exe
1128	Gejcjbah.exe
1128	Gejcjbah.exe
2220	Gdopkn32.exe
2220	Gdopkn32.exe
576	Gdamqndn.exe
576	Gdamqndn.exe
1108	Ghoegl32.exe
1108	Ghoegl32.exe
2880	Hmlnoc32.exe
2880	Hmlnoc32.exe
1704	Hgdbhi32.exe
1704	Hgdbhi32.exe
2620	Hnagjbdf.exe
2620	Hnagjbdf.exe
2656	Hcnpbi32.exe
2656	Hcnpbi32.exe
2928	Henidd32.exe
2928	Henidd32.exe
2644	Idceea32.exe
2644	Idceea32.exe

Drops file in System32 directory 64 IoCs

Processes:

Bkaqmeah.exeCjlgiqbk.exeCkffgg32.exeDmoipopd.exeEloemi32.exe[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exeOjficpfn.exeAbbbnchb.exeHgdbhi32.exeHenidd32.exeHnagjbdf.exeIdceea32.exeGejcjbah.exeOkfencna.exeCjbmjplb.exeEpdkli32.exeFmcoja32.exeFilldb32.exeGdamqndn.exeHmlnoc32.exeCckace32.exeFacdeo32.exeGdopkn32.exeBpafkknm.exeHcnpbi32.exeEfncicpm.exeGhoegl32.exePccfge32.exeGloblmmj.exePlahag32.exePfflopdh.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bpafkknm.exe	Bkaqmeah.exe
File opened for modification	C:\Windows\SysWOW64\Cgpgce32.exe	Cjlgiqbk.exe
File created	C:\Windows\SysWOW64\Naeqjnho.dll	Ckffgg32.exe
File created	C:\Windows\SysWOW64\Epdkli32.exe	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Eloemi32.exe
File opened for modification	C:\Windows\SysWOW64\Ojficpfn.exe	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
File created	C:\Windows\SysWOW64\Okfencna.exe	Ojficpfn.exe
File opened for modification	C:\Windows\SysWOW64\Bkaqmeah.exe	Abbbnchb.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Ekchhcnp.dll	Okfencna.exe
File opened for modification	C:\Windows\SysWOW64\Cckace32.exe	Cjbmjplb.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Epdkli32.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Gclcefmh.dll	Cjlgiqbk.exe
File opened for modification	C:\Windows\SysWOW64\Dmoipopd.exe	Ckffgg32.exe
File created	C:\Windows\SysWOW64\Filldb32.exe	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Cgpgce32.exe	Cjlgiqbk.exe
File created	C:\Windows\SysWOW64\Bioggp32.dll	Cjbmjplb.exe
File opened for modification	C:\Windows\SysWOW64\Ckffgg32.exe	Cckace32.exe
File created	C:\Windows\SysWOW64\Globlmmj.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Okfencna.exe	Ojficpfn.exe
File created	C:\Windows\SysWOW64\Gmdecfpj.dll	Bkaqmeah.exe
File created	C:\Windows\SysWOW64\Cjlgiqbk.exe	Bpafkknm.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Eloemi32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Lpbjlbfp.dll	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Eloemi32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjlgiqbk.exe	Bpafkknm.exe
File created	C:\Windows\SysWOW64\Ckffgg32.exe	Cckace32.exe
File created	C:\Windows\SysWOW64\Glpjaf32.dll	Dmoipopd.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Pccfge32.exe	Okfencna.exe
File created	C:\Windows\SysWOW64\Plahag32.exe	Pccfge32.exe
File created	C:\Windows\SysWOW64\Ffakeiib.dll	Bpafkknm.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Eloemi32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Filldb32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Cckace32.exe	Cjbmjplb.exe
File created	C:\Windows\SysWOW64\Omeope32.dll	Cckace32.exe
File created	C:\Windows\SysWOW64\Dmoipopd.exe	Ckffgg32.exe
File created	C:\Windows\SysWOW64\Fmcqoe32.dll	Plahag32.exe
File opened for modification	C:\Windows\SysWOW64\Abbbnchb.exe	Pfflopdh.exe
File opened for modification	C:\Windows\SysWOW64\Bpafkknm.exe	Bkaqmeah.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2528 2640 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2528	2640	WerFault.exe	Iagfoe32.exe

Modifies registry class 64 IoCs

Processes:

Cckace32.exeHcnpbi32.exeIdceea32.exePfflopdh.exeDmoipopd.exeHnagjbdf.exeHenidd32.exeGdopkn32.exeFmcoja32.exeGhoegl32.exePlahag32.exeFacdeo32.exeHmlnoc32.exeEpdkli32.exeOkfencna.exeCjbmjplb.exeGloblmmj.exeGejcjbah.exeBpafkknm.exe[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exeEfncicpm.exeFilldb32.exeHgdbhi32.exeOjficpfn.exeEloemi32.exeAbbbnchb.exeCjlgiqbk.exeCgpgce32.exePccfge32.exeBkaqmeah.exeCkffgg32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeope32.dll"	Cckace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfflopdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfpbmji.dll"	Pfflopdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plahag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekchhcnp.dll"	Okfencna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll"	Cjbmjplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfflopdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll"	Bpafkknm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll"	Efncicpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojficpfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eloemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbbnchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll"	Cjlgiqbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgjmd32.dll"	Ojficpfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll"	Pccfge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiich32.dll"	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pccfge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdecfpj.dll"	Bkaqmeah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkaqmeah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpafkknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll"	Cgpgce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbmjplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cckace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpgce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Eloemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckffgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1912 wrote to memory of 2168	1912	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe	Ojficpfn.exe
PID 1912 wrote to memory of 2168	1912	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe	Ojficpfn.exe
PID 1912 wrote to memory of 2168	1912	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe	Ojficpfn.exe
PID 1912 wrote to memory of 2168	1912	[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe	Ojficpfn.exe
PID 2168 wrote to memory of 2876	2168	Ojficpfn.exe	Okfencna.exe
PID 2168 wrote to memory of 2876	2168	Ojficpfn.exe	Okfencna.exe
PID 2168 wrote to memory of 2876	2168	Ojficpfn.exe	Okfencna.exe
PID 2168 wrote to memory of 2876	2168	Ojficpfn.exe	Okfencna.exe
PID 2876 wrote to memory of 2760	2876	Okfencna.exe	Pccfge32.exe
PID 2876 wrote to memory of 2760	2876	Okfencna.exe	Pccfge32.exe
PID 2876 wrote to memory of 2760	2876	Okfencna.exe	Pccfge32.exe
PID 2876 wrote to memory of 2760	2876	Okfencna.exe	Pccfge32.exe
PID 2760 wrote to memory of 2744	2760	Pccfge32.exe	Plahag32.exe
PID 2760 wrote to memory of 2744	2760	Pccfge32.exe	Plahag32.exe
PID 2760 wrote to memory of 2744	2760	Pccfge32.exe	Plahag32.exe
PID 2760 wrote to memory of 2744	2760	Pccfge32.exe	Plahag32.exe
PID 2744 wrote to memory of 2576	2744	Plahag32.exe	Pfflopdh.exe
PID 2744 wrote to memory of 2576	2744	Plahag32.exe	Pfflopdh.exe
PID 2744 wrote to memory of 2576	2744	Plahag32.exe	Pfflopdh.exe
PID 2744 wrote to memory of 2576	2744	Plahag32.exe	Pfflopdh.exe
PID 2576 wrote to memory of 2840	2576	Pfflopdh.exe	Abbbnchb.exe
PID 2576 wrote to memory of 2840	2576	Pfflopdh.exe	Abbbnchb.exe
PID 2576 wrote to memory of 2840	2576	Pfflopdh.exe	Abbbnchb.exe
PID 2576 wrote to memory of 2840	2576	Pfflopdh.exe	Abbbnchb.exe
PID 2840 wrote to memory of 3044	2840	Abbbnchb.exe	Bkaqmeah.exe
PID 2840 wrote to memory of 3044	2840	Abbbnchb.exe	Bkaqmeah.exe
PID 2840 wrote to memory of 3044	2840	Abbbnchb.exe	Bkaqmeah.exe
PID 2840 wrote to memory of 3044	2840	Abbbnchb.exe	Bkaqmeah.exe
PID 3044 wrote to memory of 2112	3044	Bkaqmeah.exe	Bpafkknm.exe
PID 3044 wrote to memory of 2112	3044	Bkaqmeah.exe	Bpafkknm.exe
PID 3044 wrote to memory of 2112	3044	Bkaqmeah.exe	Bpafkknm.exe
PID 3044 wrote to memory of 2112	3044	Bkaqmeah.exe	Bpafkknm.exe
PID 2112 wrote to memory of 2028	2112	Bpafkknm.exe	Cjlgiqbk.exe
PID 2112 wrote to memory of 2028	2112	Bpafkknm.exe	Cjlgiqbk.exe
PID 2112 wrote to memory of 2028	2112	Bpafkknm.exe	Cjlgiqbk.exe
PID 2112 wrote to memory of 2028	2112	Bpafkknm.exe	Cjlgiqbk.exe
PID 2028 wrote to memory of 3048	2028	Cjlgiqbk.exe	Cgpgce32.exe
PID 2028 wrote to memory of 3048	2028	Cjlgiqbk.exe	Cgpgce32.exe
PID 2028 wrote to memory of 3048	2028	Cjlgiqbk.exe	Cgpgce32.exe
PID 2028 wrote to memory of 3048	2028	Cjlgiqbk.exe	Cgpgce32.exe
PID 3048 wrote to memory of 2812	3048	Cgpgce32.exe	Cjbmjplb.exe
PID 3048 wrote to memory of 2812	3048	Cgpgce32.exe	Cjbmjplb.exe
PID 3048 wrote to memory of 2812	3048	Cgpgce32.exe	Cjbmjplb.exe
PID 3048 wrote to memory of 2812	3048	Cgpgce32.exe	Cjbmjplb.exe
PID 2812 wrote to memory of 1924	2812	Cjbmjplb.exe	Cckace32.exe
PID 2812 wrote to memory of 1924	2812	Cjbmjplb.exe	Cckace32.exe
PID 2812 wrote to memory of 1924	2812	Cjbmjplb.exe	Cckace32.exe
PID 2812 wrote to memory of 1924	2812	Cjbmjplb.exe	Cckace32.exe
PID 1924 wrote to memory of 1296	1924	Cckace32.exe	Ckffgg32.exe
PID 1924 wrote to memory of 1296	1924	Cckace32.exe	Ckffgg32.exe
PID 1924 wrote to memory of 1296	1924	Cckace32.exe	Ckffgg32.exe
PID 1924 wrote to memory of 1296	1924	Cckace32.exe	Ckffgg32.exe
PID 1296 wrote to memory of 1960	1296	Ckffgg32.exe	Dmoipopd.exe
PID 1296 wrote to memory of 1960	1296	Ckffgg32.exe	Dmoipopd.exe
PID 1296 wrote to memory of 1960	1296	Ckffgg32.exe	Dmoipopd.exe
PID 1296 wrote to memory of 1960	1296	Ckffgg32.exe	Dmoipopd.exe
PID 1960 wrote to memory of 2036	1960	Dmoipopd.exe	Epdkli32.exe
PID 1960 wrote to memory of 2036	1960	Dmoipopd.exe	Epdkli32.exe
PID 1960 wrote to memory of 2036	1960	Dmoipopd.exe	Epdkli32.exe
PID 1960 wrote to memory of 2036	1960	Dmoipopd.exe	Epdkli32.exe
PID 2036 wrote to memory of 484	2036	Epdkli32.exe	Efncicpm.exe
PID 2036 wrote to memory of 484	2036	Epdkli32.exe	Efncicpm.exe
PID 2036 wrote to memory of 484	2036	Epdkli32.exe	Efncicpm.exe
PID 2036 wrote to memory of 484	2036	Epdkli32.exe	Efncicpm.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]a2113a088085d07d2d7688ab2b0914d3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\Ojficpfn.exe
C:\Windows\system32\Ojficpfn.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\Okfencna.exe
C:\Windows\system32\Okfencna.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\Pccfge32.exe
C:\Windows\system32\Pccfge32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\Plahag32.exe
C:\Windows\system32\Plahag32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\Pfflopdh.exe
C:\Windows\system32\Pfflopdh.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\Abbbnchb.exe
C:\Windows\system32\Abbbnchb.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\Bkaqmeah.exe
C:\Windows\system32\Bkaqmeah.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\Bpafkknm.exe
C:\Windows\system32\Bpafkknm.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\Cjlgiqbk.exe
C:\Windows\system32\Cjlgiqbk.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\Cgpgce32.exe
C:\Windows\system32\Cgpgce32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\Cjbmjplb.exe
C:\Windows\system32\Cjbmjplb.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\Cckace32.exe
C:\Windows\system32\Cckace32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\Ckffgg32.exe
C:\Windows\system32\Ckffgg32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\Dmoipopd.exe
C:\Windows\system32\Dmoipopd.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\Epdkli32.exe
C:\Windows\system32\Epdkli32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\Efncicpm.exe
C:\Windows\system32\Efncicpm.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:484

C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:844

C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1472

C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2000

C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1664

C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1204

C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1128

C:\Windows\SysWOW64\Gdopkn32.exe
C:\Windows\system32\Gdopkn32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2220

C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:576

C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1108

C:\Windows\SysWOW64\Hmlnoc32.exe
C:\Windows\system32\Hmlnoc32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1704

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\Hcnpbi32.exe
C:\Windows\system32\Hcnpbi32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2656

C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2928

C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2644

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
33⤵
- Executes dropped EXE
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 140
34⤵
- Program crash
PID:2528

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cckace32.exe
Filesize
399KB

MD5
52e18de5692203b6427b48cc81bf1d1e

SHA1
62adc176ffdba3ad72e17da2bb1e9417b7c5a1a3

SHA256
6a41cc73269025f222a873505e55f589ef3fb86ecf2656cc86feecf4d28aa943

SHA512
78c2aac0bacbeb33b1ac8dc7d32385cfb9e01bd7d885d37839a2b27eeeb042a5e226fafa0bd75bc6948c79bc6503ae44a7fb41aff0d7cd9a16eabc31fdfd3010

Download Submit
C:\Windows\SysWOW64\Cgpgce32.exe
Filesize
399KB

MD5
0998887a44ef452e6b22d806b7c28578

SHA1
66c9caaaeed357be4edbaad69b2cee1e33ddb24c

SHA256
94e1850aecedad046c5700327cb5f559dba3c18cc676bb6e059c055b671478ff

SHA512
6c79a74a67628eb0d51c4ddf741ea32cf472d3ef973e40628288135ca80abfe85d02a9682913809f30d071a74a1a4f947810a55604cbccdcca39a9820e3b6d8d

Download Submit
C:\Windows\SysWOW64\Dmoipopd.exe
Filesize
399KB

MD5
b0c7ff726aa24a4cd9eba6c51bb03139

SHA1
848d8230d1fff0f6e6db660c908cbfb42a161291

SHA256
4d3a9b31333a14f28394a25ddc2fd241a03da633d26c41a419ea3e9f696a47d0

SHA512
3df8ef4f91a7143ac65b621f8da64aa7bf327e4c5857f29f27f17bfa5ee164aaf9404d3d5f66a16e41339469cef46800c11047416b2d1bf0c46dffe0c5f8219b

Download Submit
C:\Windows\SysWOW64\Efncicpm.exe
Filesize
399KB

MD5
60bcd767b78ee5b4ce1292e62d1af52c

SHA1
fed1e866fbaa6d4fa0343151bcecc8af3b6c75fe

SHA256
d601230364d92668377643c2538289270625db24e3126db7c82c86d717215045

SHA512
cbe72e03de7dee8856ebba6ee6f2e6a855d1b5fc8ed317ece921b1a70e14207972b4df52711a5e340ecefc3491746c2c34b129ab925067b641751f81d2fa5306

Download Submit
C:\Windows\SysWOW64\Eloemi32.exe
Filesize
399KB

MD5
659ef637fef7df1fea22099c69810b04

SHA1
ce4c2dc878a1bdeccf1b3b9f5a125757007cab33

SHA256
d8e7257d178e9c2a7650c46ef087a76e29539bc970db86977b1e30e5e2ae40cf

SHA512
3114201d2a981d0838ca4d3c00d87993c60eb364ec3a54b9e410a49413b3ac075fc681c2f9e2acf8d6176de2eb26f9a2c4cb6b234708180d984d066f8d181855

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe
Filesize
399KB

MD5
1632552afcae0e26420a4a9fd820981c

SHA1
32ab250ad41b43dc446f129230bef09bdffabdf8

SHA256
eacb01c4fee7391ed4657f632bfd3846cd11bfede8e061606d4573594fd3dd57

SHA512
009a776d2f80d31a6cadbce71dd979414018440aa27487753de186e9a607560326ed932528d163f6cf05d654c73dd0632621a811d71c8c666fc08db71d89ac6d

Download Submit
C:\Windows\SysWOW64\Filldb32.exe
Filesize
399KB

MD5
3bacfa5b0d645ed49144e4312455d05c

SHA1
9de965982fc4a8145c96507804486793572135be

SHA256
e9cface38421e205cf6b5f2ab24226ad361badccec81dac450a7323e5059f77b

SHA512
149ed12acc51ee32dbd3fbdaa48759ba9da63e148775444d50b4fb2c43e1a16a113f5cfcf03b5c15f693231cc27c7cbd066a226fa517edce426690af5d0aeb79

Download Submit
C:\Windows\SysWOW64\Fmcoja32.exe
Filesize
399KB

MD5
e389a30231317fe0237b412fe93d9d81

SHA1
35e4505c62e7a5dc835687a74e11d373e399e6a5

SHA256
fe68e84dee8095d60af4204567096e83610bcd7b9f0d30a476869ef8275d1e7d

SHA512
8265699e59e1b71f7ab156c8729bfa549a193768d5bcf7f06cbb6337fe66c0d864a63050d3636b86427e16f67580dfae3251999b1ef5d8d44fa98c94065ea353

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe
Filesize
399KB

MD5
602bd8f32f2c4441223841ad817a8cd3

SHA1
193b4beadc1db2fc7760117285c3d2b74058d8a5

SHA256
31013728deb223b296f3fbb2a4015398b1a6dc60bc516b6eed434c0553d1e1e5

SHA512
a02d9e7a51d543cb9d37ac67d2ee9b6ab102f7bce1d5c7d490a0b80780b524234c02d33147bd1229c7fc60df32340bc181be6078b2365497b38ea9d4d6d291d9

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe
Filesize
399KB

MD5
5b237ca3894a058d0b1b489e3adeaa77

SHA1
e81d8d7427ff49b7aa1075d5e67892bcbdb50392

SHA256
37a74ab060ca749b34d96b7110f1051aa0e9825a8ee7c0ec6c166faacdc51d69

SHA512
4d130ff9a9947b8bbc824ea094a473b061cf74a8a7038f1a7bf57469ae09d8cc867acd6e189eb8e82b6bee0e8d160c0607e067692efff062b5f6425073f3aaae

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe
Filesize
399KB

MD5
80d5a07e9783e6d9640d29cf57e67701

SHA1
51164eea789dfad07df9e5aa6501a9562717afd3

SHA256
e511b774084fa05b2e57de3c61c3009aa9341a8b5d21e1ec89ced5f0af184553

SHA512
5dc4a2f72aaf0747dee85c366aca77fdb7b408c6786a6678852b0174d66b88208c26e8fb7ac666a7d38258e307a7af8a0ff44b366e5b6a1e5337a74938b5b264

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe
Filesize
399KB

MD5
05b52fc6304797e2be234c05b25c8f40

SHA1
ffccf935e7e45ed825ebf07b8f389bd1332d8150

SHA256
07dfad7464738f044b7a2deb51f6f0a8012cff2105ab3bfc296115a31e605c87

SHA512
25ca18dc19f4049938bb0b43eeea3dab4877b802d945bcee33b898b85a9af7bcc9545ff7799f8db1b46829a50b5d8fa032eded7def7858e095091a94a31fc92a

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe
Filesize
399KB

MD5
bdbf8d96b7c1b17119e8b2b60a2225e7

SHA1
51df1a98bc8c4b66dd369c8203726a26afaf3e3f

SHA256
a210b31473912f678e3c4e5062495845d0e25a51bafd220d03baf0ae9144c1ea

SHA512
b9431e03b9e2ffe3b80be19a247930defd8665040e46623b71ea2744fd1361dc529487bed03c305d0337c648f959f5bcf539a6eb77c81d31c00a646f9bbd331f

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe
Filesize
399KB

MD5
b3f054ad1b881a5a2f990c1f1242dd4b

SHA1
58059a8b38c4739e32e7cfddb60c255c296d485c

SHA256
4cecabcb83bd08d408dd836ccf5c4f0e689da042524ea85b25a6397423011597

SHA512
96a0c98fb738eb7c046c122a520d7f6aedd3429926ed2f09560e45de8cff1949f13ddefbc42e96c25dd3fb9a486ecbc0a1183a0f3e3d75391a0aa92701225a18

Download Submit
C:\Windows\SysWOW64\Henidd32.exe
Filesize
399KB

MD5
3e2b6f56e72f9e38464911c16931b23e

SHA1
27fe2ac4f385f5d473b9dbb559a5ec11c059ca8e

SHA256
e1db85babaf902b116830091a73c047efab9ca15fc97abc4d7adf18d4bc2776b

SHA512
ff8f338a31fb0f30df980ebcfe84890c767224a57c77416eec031f2920876e7953c12e66a91990c07a015b8563a87edb9e55eda67e9a63e779384c6b92bef7a2

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe
Filesize
399KB

MD5
cfb988ff8113e9e7ddb7e0cc5a3ce4d8

SHA1
f20c9cdd5bddad564ef10b7464f8b741565b2dcc

SHA256
dc81096345e09e34d8385ce8b8c387061d35078ff013bc20760830375ca76f47

SHA512
7e2dfa0cfb7a7c55afec1c18ca31f4bd16b4703d04bcf78ae5cd8d732196d862aa533b7ad025914ebf45fc1c0cab2ab21f2041f47afceee7abf82a80da9985b3

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe
Filesize
399KB

MD5
e265d7b19e82c808c9667572ec706de6

SHA1
589422d815ffc928decfa50841a038478b5b1bf6

SHA256
85e4369b2e50bdae18ff1e8c6cbfef5232427eabccd4dd191037d6fb68bc925f

SHA512
08b29dcde04fb4c42d26c8ffd41ae763f7e2476c5385eff3109e42d447609c5f0367935f3a5fad3ce626f7e913f6d805c06dfc4fb100db2d1bc32a2d8d9c4d7f

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe
Filesize
399KB

MD5
05cce2d81ab2628373cb53d021e006c2

SHA1
cc16c3c7bb3f561af01933c9a8b341fec6a41b40

SHA256
99d8c32fb9dbae12b771873bbd9e50c86292e48a3cff70b877dc732df4e4fff3

SHA512
98b98c5ea1321a43576f233a76b39cef58c79985a5a8ad12ae4e1c23e4040a974cc2533c8b28594d4978556aeee0c9b9e907b084223bf0caf68be9c40b74c1e4

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
399KB

MD5
b826d13412d75fe4dd34a01e62f2f699

SHA1
1c077217e64a03750ce85c28c63ceb8139487b70

SHA256
6a5054671042e9f499ad3bed9f692fa5cddc1a9d9384abb95263c1242491ae32

SHA512
4f81a8fe849e145ccca7f3b9d19697e145ca6d71a068ec4e8bfc0a54e988229a2e881b662647c422ab911c06a275cc2079a6b45dce5c2da8d7c20eb3228a7778

Download Submit
C:\Windows\SysWOW64\Idceea32.exe
Filesize
399KB

MD5
9e9c571e5604f07c4a7ead52ed319bd5

SHA1
aa0e41b8dbf73afc4ba5f682271d88286cf62f23

SHA256
0265f310134701377f6142e077f8979f85e6da704248989bef86a4c8cd47038d

SHA512
424f812ed6522cb8a3833826221596e79336b4302318c22b93a8d7a60edb59fb19da67416e78cb160c9ef03dff2a804daccf1ce44fb9fa64f3b461c14959330b

Download Submit
C:\Windows\SysWOW64\Okfencna.exe
Filesize
399KB

MD5
2757e612e5c94052f7303170dd880216

SHA1
248d6d2a86fbf5aed36855e6af05bb8f31805978

SHA256
3a08527b9127b5a46ee98ac9f215db78658e144545282a7b69df5ce043490716

SHA512
7bf9ff56377ffce3daa6b1fa6bf049feb2a990e2c7a69951aa2f9079dcd9cac4c9223bda085e7897bfbccc786ec8b2a39a8cd14ebd01289a73616b639a9aacf9

Download Submit
\Windows\SysWOW64\Abbbnchb.exe
Filesize
399KB

MD5
1be91105f5e6a01308bc48ca54f61d44

SHA1
942506a70249659ac5bcdd83b807f759f6baa047

SHA256
78a98f056d615fce6fb4b22539f069ac136d52cd5171582f304e90b1db85ec1b

SHA512
303d87bf8f7e62e954f82de1c40cc3dd855d4e7682c235d5e4f3b47e74c17cdc9b1c41970942a37c9e86b052ed4a96860a53b37e91db09a50fcc925d349cc18c

Download Submit
\Windows\SysWOW64\Bkaqmeah.exe
Filesize
399KB

MD5
dc17f64294f8246554541d07fb8b7fd0

SHA1
ffaed35fea966ba803737c8ae2ae8f5ea16a67c4

SHA256
ee21a2970c7b83fdd9f1ef3817d7a870badf915edf21eac5a096ff669d505086

SHA512
33e46f9f1d7d4fcd9fd0c7c64c896e11cbe9981a81aa4b2b5ebdb70d315416ada194df932da83594c97a12b4fc7b8e4000e97cabe6b235d791d7d6439d9af26e

Download Submit
\Windows\SysWOW64\Bpafkknm.exe
Filesize
399KB

MD5
61396ad61059fb11f4c4cfd50652065c

SHA1
71ff79b1bed888da6d165bcf354b9ecc3b3884aa

SHA256
d8a90f15a68524e12c07cbb0e3742451455e7d8cfcbea0a020e9a10266d54cc8

SHA512
45d0557aa9b10387b69b6736a204c28d635e5db96749fd683247a5f9288a7170a504a1a38058345a5a720e82627addb0da700a246317601321e487610dad1215

Download Submit
\Windows\SysWOW64\Cjbmjplb.exe
Filesize
399KB

MD5
ebd7178ed595d474efe298fcb683ad80

SHA1
75cf4edcc9a4f40f132b5cb0c8d947af3a027923

SHA256
04d43f4610168c8e01d8e36ad25379effb33899dab59fd188cf190ab464da390

SHA512
606559fdd580a5ede173cdfe3de39952c92ebbe8733caeef865a584e82ae9e63114f0e95dd009ebdd7d38e6a95ac45f88de8018a8484275f374682eebba4bbf2

Download Submit
\Windows\SysWOW64\Cjlgiqbk.exe
Filesize
399KB

MD5
9f7fd67516bd42bbc740bd085e4e03c8

SHA1
238266ad87be65172f08bb6c93a4114d4a74480a

SHA256
3f48de01cfab10335a565fc7bcdcf0692f88dd57eb13174c949f2762da8020f9

SHA512
875e7e1195ca0f00520a28a70a6f8cd420e83db6b494363b2be6368411aceb9c4ce89c26fdbead83cf1c13fabaa187e4f4d718dd6c7b9d8f16238bb6cc8e8dae

Download Submit
\Windows\SysWOW64\Ckffgg32.exe
Filesize
399KB

MD5
4a9258e9c31de489a697b56736958d96

SHA1
c505c62f299909869008f8106b16e1be9eaa2616

SHA256
9935bcb42caa59b174236b6b932fabaec1901cbc559dc42a47e042aef50c349a

SHA512
45c33e7b8c6446cd481582b83c3a00a3966f6a4c02d92fb6d734e28f99b9db3f22e49303d7a9d5d6ab51d323ec9d2abac3b270bde780050099cef86bcd782510

Download Submit
\Windows\SysWOW64\Epdkli32.exe
Filesize
399KB

MD5
d5f0110b3ac462909b9a99ea09b74ef5

SHA1
827c7220a84b6f10fcc9f1068dcb28c736a682b2

SHA256
05478c9e57c1f1a11472204a2a11e4e90cca8a9f2fef0c850c96820ed0c82ad0

SHA512
bad259394afe4df96c4662e07a612f40a889aee01eaffead1d7bcc2fc84b63e2c814dd8ba0eecd472d2bce4665330d9ae62014aff28ec4333ec0fa8ec8904038

Download Submit
\Windows\SysWOW64\Ojficpfn.exe
Filesize
399KB

MD5
6df78b1c1b2754060385525c4b2d6861

SHA1
a79ccd6a8afab551b49e2bf09757ae2cbdf75ab7

SHA256
f89313654b8de56f99cd0c4bb8fee4b2adc6b640aa05467818931faf4ce1dd25

SHA512
fcb6318c28324a94e51dcd3cd21acf996b78408bc256245178e11d7658bd8b790dc5ccc3755ade80646d6dba1c342dc4c61d87ab62514e1f1306cdbf560f7bc5

Download Submit
\Windows\SysWOW64\Pccfge32.exe
Filesize
399KB

MD5
bc7275501b1d5dcdb1985abdb650f61c

SHA1
d10cd72707a21afe0ab401faac4f1a8adbe6440b

SHA256
c7861cb82ef1fc5c5bae65d651ee34af5e9451c1f4f242943d7af9e6d1d17fa6

SHA512
39f304a0ae01b814f0f463c8991596fa837751ed0537e7165dbd4426f811e26db832e091a01b5d5c938ccfd27ebb382752dc21c76bb53df680c832ef71c67d84

Download Submit
\Windows\SysWOW64\Pfflopdh.exe
Filesize
399KB

MD5
23bd73c9640e6a6c6b9bbdcbdafed3a1

SHA1
8baaa3bdf7dcb8d893e73957e79e772795ecb87c

SHA256
3f6ab17d21c49f431c8d5c8fa007c8efd005e5e889099ce990c93b783a29bbdc

SHA512
ed222e42b6aae5e1caa03cde3412b18e98ddd15f295b4b66d714e17bb8d5d488ef72b3135be71496862b9f0995eaabe01afb156ae8887ded90dd566dec688d61

Download Submit
\Windows\SysWOW64\Plahag32.exe
Filesize
399KB

MD5
31995041d164aed84d49e8795e04b716

SHA1
0d91f977e9bc1e8a045e4ea6104a8df685766e55

SHA256
7b5f5c4344d24a94156c4bc618ab9381fcbbf557fd97f91a270b9218040d0bde

SHA512
bbe7bd0f2abbb606b7a4fa7bdf0494773dc5c50197ed53ce0d1146f4d2ce302288c094a64874a39b78ed0d17e2417e047ecd1e3c1416d45a3e0c96f7b3c9a536

Download Submit
memory/484-234-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/484-498-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/484-233-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/484-222-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/576-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/576-321-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/844-500-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/844-241-0x0000000001FE0000-0x000000000205F000-memory.dmp

Filesize
508KB

Download
memory/844-235-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1108-326-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/1108-331-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/1128-288-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1128-301-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/1128-510-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-287-0x0000000000320000-0x000000000039F000-memory.dmp

Filesize
508KB

Download
memory/1204-277-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-508-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1204-283-0x0000000000320000-0x000000000039F000-memory.dmp

Filesize
508KB

Download
memory/1296-192-0x0000000000340000-0x00000000003BF000-memory.dmp

Filesize
508KB

Download
memory/1296-184-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1296-489-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1472-502-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1472-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1472-259-0x0000000000270000-0x00000000002EF000-memory.dmp

Filesize
508KB

Download
memory/1472-257-0x0000000000270000-0x00000000002EF000-memory.dmp

Filesize
508KB

Download
memory/1664-276-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1664-506-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1664-266-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1664-272-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1704-342-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-351-0x0000000002040000-0x00000000020BF000-memory.dmp

Filesize
508KB

Download
memory/1704-352-0x0000000002040000-0x00000000020BF000-memory.dmp

Filesize
508KB

Download
memory/1912-6-0x0000000000300000-0x000000000037F000-memory.dmp

Filesize
508KB

Download
memory/1912-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1912-458-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1924-164-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1924-487-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1924-183-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1924-182-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/1960-491-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-193-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-206-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/1960-209-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/2000-260-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2000-504-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2000-265-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2028-133-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2028-481-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2036-227-0x00000000004F0000-0x000000000056F000-memory.dmp

Filesize
508KB

Download
memory/2036-221-0x00000000004F0000-0x000000000056F000-memory.dmp

Filesize
508KB

Download
memory/2036-220-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2036-493-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2112-479-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2112-115-0x0000000000380000-0x00000000003FF000-memory.dmp

Filesize
508KB

Download
memory/2112-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2168-460-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2168-26-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2168-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2220-306-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2220-307-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/2576-75-0x0000000000480000-0x00000000004FF000-memory.dmp

Filesize
508KB

Download
memory/2576-473-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2576-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2620-363-0x00000000002E0000-0x000000000035F000-memory.dmp

Filesize
508KB

Download
memory/2620-358-0x00000000002E0000-0x000000000035F000-memory.dmp

Filesize
508KB

Download
memory/2620-353-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2640-392-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2644-391-0x0000000001FF0000-0x000000000206F000-memory.dmp

Filesize
508KB

Download
memory/2644-381-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2644-387-0x0000000001FF0000-0x000000000206F000-memory.dmp

Filesize
508KB

Download
memory/2656-366-0x0000000000310000-0x000000000038F000-memory.dmp

Filesize
508KB

Download
memory/2656-370-0x0000000000310000-0x000000000038F000-memory.dmp

Filesize
508KB

Download
memory/2656-365-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2744-65-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/2744-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2744-466-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2760-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2760-464-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2812-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2812-163-0x0000000000300000-0x000000000037F000-memory.dmp

Filesize
508KB

Download
memory/2812-485-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2812-162-0x0000000000300000-0x000000000037F000-memory.dmp

Filesize
508KB

Download
memory/2840-475-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2840-89-0x00000000004F0000-0x000000000056F000-memory.dmp

Filesize
508KB

Download
memory/2840-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-462-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2880-332-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2880-337-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/2928-380-0x00000000002F0000-0x000000000036F000-memory.dmp

Filesize
508KB

Download
memory/2928-371-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3044-477-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-483-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-142-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download
memory/3048-148-0x0000000000250000-0x00000000002CF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads