e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
292s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Size

2.0MB
MD5

01be7be288126004a6b6013cfa9630f3
SHA1

3deb89a1e4a358eb0fd221eb5cbe8ed85704e7ec
SHA256

6284a2f1d801c9d5c426b98da1c753b49eb8ce2baba7e94131f2f6d8fcdba629
SHA512

cffc1d1accdcebb48385f0caac440fbe243b9eb96a090c994e8f198b6d7c66845e59b7b0278b9bddad724749e5ea4868ac255a8d5cd240118b270490d39d6938
SSDEEP

24576:woQDcLfDdGsJm1OVmfihmevP3r9jKB3nwPg:woQDcLPmA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknekeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppoqeja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknekeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biamilfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjpacfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnobnmpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biamilfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjpacfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dccagcgk.exe

Executes dropped EXE 38 IoCs

pid	Process
1060	Biamilfj.exe
2592	Bpleef32.exe
2640	Bbjbaa32.exe
2764	Bpnbkeld.exe
2600	Bghjhp32.exe
2608	Bppoqeja.exe
1540	Bbokmqie.exe
2812	Ckjpacfp.exe
1640	Clilkfnb.exe
1788	Cddaphkn.exe
660	Cdgneh32.exe
756	Cnobnmpl.exe
2300	Cclkfdnc.exe
2092	Cdlgpgef.exe
564	Dpbheh32.exe
1332	Dfoqmo32.exe
820	Dccagcgk.exe
1968	Dknekeef.exe
1460	Dcenlceh.exe
340	Ddgjdk32.exe
1596	Dkqbaecc.exe
1660	Ddigjkid.exe
2572	Dggcffhg.exe
2972	Eqpgol32.exe
1868	Egjpkffe.exe
2684	Ebodiofk.exe
2604	Ecqqpgli.exe
2704	Ekhhadmk.exe
2412	Emieil32.exe
1992	Eccmffjf.exe
1880	Efaibbij.exe
1856	Eqgnokip.exe
1588	Egafleqm.exe
2872	Ejobhppq.exe
2280	Eplkpgnh.exe
1136	Ebjglbml.exe
348	Fidoim32.exe
2848	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2236	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
2236	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
1060	Biamilfj.exe
1060	Biamilfj.exe
2592	Bpleef32.exe
2592	Bpleef32.exe
2640	Bbjbaa32.exe
2640	Bbjbaa32.exe
2764	Bpnbkeld.exe
2764	Bpnbkeld.exe
2600	Bghjhp32.exe
2600	Bghjhp32.exe
2608	Bppoqeja.exe
2608	Bppoqeja.exe
1540	Bbokmqie.exe
1540	Bbokmqie.exe
2812	Ckjpacfp.exe
2812	Ckjpacfp.exe
1640	Clilkfnb.exe
1640	Clilkfnb.exe
1788	Cddaphkn.exe
1788	Cddaphkn.exe
660	Cdgneh32.exe
660	Cdgneh32.exe
756	Cnobnmpl.exe
756	Cnobnmpl.exe
2300	Cclkfdnc.exe
2300	Cclkfdnc.exe
2092	Cdlgpgef.exe
2092	Cdlgpgef.exe
564	Dpbheh32.exe
564	Dpbheh32.exe
1332	Dfoqmo32.exe
1332	Dfoqmo32.exe
820	Dccagcgk.exe
820	Dccagcgk.exe
1968	Dknekeef.exe
1968	Dknekeef.exe
1460	Dcenlceh.exe
1460	Dcenlceh.exe
340	Ddgjdk32.exe
340	Ddgjdk32.exe
1596	Dkqbaecc.exe
1596	Dkqbaecc.exe
1660	Ddigjkid.exe
1660	Ddigjkid.exe
2572	Dggcffhg.exe
2572	Dggcffhg.exe
2972	Eqpgol32.exe
2972	Eqpgol32.exe
1868	Egjpkffe.exe
1868	Egjpkffe.exe
2684	Ebodiofk.exe
2684	Ebodiofk.exe
2604	Ecqqpgli.exe
2604	Ecqqpgli.exe
2704	Ekhhadmk.exe
2704	Ekhhadmk.exe
2412	Emieil32.exe
2412	Emieil32.exe
1992	Eccmffjf.exe
1992	Eccmffjf.exe
1880	Efaibbij.exe
1880	Efaibbij.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Dmkmmi32.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Clilkfnb.exe	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Amfidj32.dll	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Imehcohk.dll	Emieil32.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Bpleef32.exe	Biamilfj.exe
File opened for modification	C:\Windows\SysWOW64\Cdlgpgef.exe	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Dggcffhg.exe
File opened for modification	C:\Windows\SysWOW64\Bghjhp32.exe	Bpnbkeld.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dknekeef.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Ebodiofk.exe
File opened for modification	C:\Windows\SysWOW64\Cdgneh32.exe	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dknekeef.exe
File opened for modification	C:\Windows\SysWOW64\Eplkpgnh.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Bppoqeja.exe	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Ekjajfei.dll	Bppoqeja.exe
File opened for modification	C:\Windows\SysWOW64\Ckjpacfp.exe	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Ebodiofk.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Ecqqpgli.exe	Ebodiofk.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ekhhadmk.exe
File opened for modification	C:\Windows\SysWOW64\Bbokmqie.exe	Bppoqeja.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	Cddaphkn.exe
File created	C:\Windows\SysWOW64\Dccagcgk.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dpbheh32.exe	Cdlgpgef.exe
File opened for modification	C:\Windows\SysWOW64\Dfoqmo32.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Bghjhp32.exe	Bpnbkeld.exe
File created	C:\Windows\SysWOW64\Ekhhadmk.exe	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Ebjglbml.exe
File opened for modification	C:\Windows\SysWOW64\Bpnbkeld.exe	Bbjbaa32.exe
File opened for modification	C:\Windows\SysWOW64\Eqpgol32.exe	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Njmggi32.dll	Egjpkffe.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Cdlgpgef.exe
File opened for modification	C:\Windows\SysWOW64\Eccmffjf.exe	Emieil32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgjdk32.exe	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Kclhicjn.dll	Bpnbkeld.exe
File created	C:\Windows\SysWOW64\Cddaphkn.exe	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Dknekeef.exe	Dccagcgk.exe
File opened for modification	C:\Windows\SysWOW64\Bbjbaa32.exe	Bpleef32.exe
File opened for modification	C:\Windows\SysWOW64\Cddaphkn.exe	Clilkfnb.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Bpnbkeld.exe	Bbjbaa32.exe
File created	C:\Windows\SysWOW64\Joliff32.dll	Cdlgpgef.exe
File created	C:\Windows\SysWOW64\Ddigjkid.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Biamilfj.exe	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
File created	C:\Windows\SysWOW64\Mecbia32.dll	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Iifjjk32.dll	Dfoqmo32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Clilkfnb.exe	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Aphdelhp.dll	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Eccmffjf.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Abkphdmd.dll	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Bppoqeja.exe	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Lnfhlh32.dll	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Egqdeaqb.dll	Dccagcgk.exe

Program crash 1 IoCs

pid	pid_target	Process
1964	2848	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll"	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknekeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biamilfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclhicjn.dll"	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll"	Ckjpacfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll"	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll"	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpleef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpedi32.dll"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll"	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll"	Dfoqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll"	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnobnmpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1060	2236	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe	28
PID 2236 wrote to memory of 1060	2236	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe	28
PID 2236 wrote to memory of 1060	2236	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe	28
PID 2236 wrote to memory of 1060	2236	[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe	28
PID 1060 wrote to memory of 2592	1060	Biamilfj.exe	29
PID 1060 wrote to memory of 2592	1060	Biamilfj.exe	29
PID 1060 wrote to memory of 2592	1060	Biamilfj.exe	29
PID 1060 wrote to memory of 2592	1060	Biamilfj.exe	29
PID 2592 wrote to memory of 2640	2592	Bpleef32.exe	30
PID 2592 wrote to memory of 2640	2592	Bpleef32.exe	30
PID 2592 wrote to memory of 2640	2592	Bpleef32.exe	30
PID 2592 wrote to memory of 2640	2592	Bpleef32.exe	30
PID 2640 wrote to memory of 2764	2640	Bbjbaa32.exe	31
PID 2640 wrote to memory of 2764	2640	Bbjbaa32.exe	31
PID 2640 wrote to memory of 2764	2640	Bbjbaa32.exe	31
PID 2640 wrote to memory of 2764	2640	Bbjbaa32.exe	31
PID 2764 wrote to memory of 2600	2764	Bpnbkeld.exe	32
PID 2764 wrote to memory of 2600	2764	Bpnbkeld.exe	32
PID 2764 wrote to memory of 2600	2764	Bpnbkeld.exe	32
PID 2764 wrote to memory of 2600	2764	Bpnbkeld.exe	32
PID 2600 wrote to memory of 2608	2600	Bghjhp32.exe	33
PID 2600 wrote to memory of 2608	2600	Bghjhp32.exe	33
PID 2600 wrote to memory of 2608	2600	Bghjhp32.exe	33
PID 2600 wrote to memory of 2608	2600	Bghjhp32.exe	33
PID 2608 wrote to memory of 1540	2608	Bppoqeja.exe	34
PID 2608 wrote to memory of 1540	2608	Bppoqeja.exe	34
PID 2608 wrote to memory of 1540	2608	Bppoqeja.exe	34
PID 2608 wrote to memory of 1540	2608	Bppoqeja.exe	34
PID 1540 wrote to memory of 2812	1540	Bbokmqie.exe	35
PID 1540 wrote to memory of 2812	1540	Bbokmqie.exe	35
PID 1540 wrote to memory of 2812	1540	Bbokmqie.exe	35
PID 1540 wrote to memory of 2812	1540	Bbokmqie.exe	35
PID 2812 wrote to memory of 1640	2812	Ckjpacfp.exe	36
PID 2812 wrote to memory of 1640	2812	Ckjpacfp.exe	36
PID 2812 wrote to memory of 1640	2812	Ckjpacfp.exe	36
PID 2812 wrote to memory of 1640	2812	Ckjpacfp.exe	36
PID 1640 wrote to memory of 1788	1640	Clilkfnb.exe	37
PID 1640 wrote to memory of 1788	1640	Clilkfnb.exe	37
PID 1640 wrote to memory of 1788	1640	Clilkfnb.exe	37
PID 1640 wrote to memory of 1788	1640	Clilkfnb.exe	37
PID 1788 wrote to memory of 660	1788	Cddaphkn.exe	38
PID 1788 wrote to memory of 660	1788	Cddaphkn.exe	38
PID 1788 wrote to memory of 660	1788	Cddaphkn.exe	38
PID 1788 wrote to memory of 660	1788	Cddaphkn.exe	38
PID 660 wrote to memory of 756	660	Cdgneh32.exe	39
PID 660 wrote to memory of 756	660	Cdgneh32.exe	39
PID 660 wrote to memory of 756	660	Cdgneh32.exe	39
PID 660 wrote to memory of 756	660	Cdgneh32.exe	39
PID 756 wrote to memory of 2300	756	Cnobnmpl.exe	40
PID 756 wrote to memory of 2300	756	Cnobnmpl.exe	40
PID 756 wrote to memory of 2300	756	Cnobnmpl.exe	40
PID 756 wrote to memory of 2300	756	Cnobnmpl.exe	40
PID 2300 wrote to memory of 2092	2300	Cclkfdnc.exe	41
PID 2300 wrote to memory of 2092	2300	Cclkfdnc.exe	41
PID 2300 wrote to memory of 2092	2300	Cclkfdnc.exe	41
PID 2300 wrote to memory of 2092	2300	Cclkfdnc.exe	41
PID 2092 wrote to memory of 564	2092	Cdlgpgef.exe	42
PID 2092 wrote to memory of 564	2092	Cdlgpgef.exe	42
PID 2092 wrote to memory of 564	2092	Cdlgpgef.exe	42
PID 2092 wrote to memory of 564	2092	Cdlgpgef.exe	42
PID 564 wrote to memory of 1332	564	Dpbheh32.exe	43
PID 564 wrote to memory of 1332	564	Dpbheh32.exe	43
PID 564 wrote to memory of 1332	564	Dpbheh32.exe	43
PID 564 wrote to memory of 1332	564	Dpbheh32.exe	43

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Biamilfj.exe
  C:\Windows\system32\Biamilfj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\Bpleef32.exe
    C:\Windows\system32\Bpleef32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Bbjbaa32.exe
      C:\Windows\system32\Bbjbaa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Bpnbkeld.exe
        
        C:\Windows\system32\Bpnbkeld.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Bghjhp32.exe
        
        C:\Windows\system32\Bghjhp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Bppoqeja.exe
        
        C:\Windows\system32\Bppoqeja.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ckjpacfp.exe
        
        C:\Windows\system32\Ckjpacfp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Clilkfnb.exe
        
        C:\Windows\system32\Clilkfnb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Cddaphkn.exe
        
        C:\Windows\system32\Cddaphkn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Cnobnmpl.exe
        
        C:\Windows\system32\Cnobnmpl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Cclkfdnc.exe
        
        C:\Windows\system32\Cclkfdnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Cdlgpgef.exe
        
        C:\Windows\system32\Cdlgpgef.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Dccagcgk.exe
        
        C:\Windows\system32\Dccagcgk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Dknekeef.exe
        
        C:\Windows\system32\Dknekeef.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Ddgjdk32.exe
        
        C:\Windows\system32\Ddgjdk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        39⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 140
        40⤵
        Program crash
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbjbaa32.exe

Filesize
2.0MB

MD5
cda05967c65d7b051e82ac85c8e827c8

SHA1
10cda26a1014cc28f6e71c73e8e865143a4fbc0e

SHA256
6f9c3aef8c26cc1aafb3e3afb2e59d4497b249c19db9803f6c9ce1dad0ec9811

SHA512
55ad6296bc7b2b476da74c527d2b3703894f4181751e1c308d658403621fadc3336e2ce442eb7483fb2402540402529d89af87a4d16730a7b64453d113c612a6

Download Submit
C:\Windows\SysWOW64\Bbokmqie.exe

Filesize
2.0MB

MD5
409a67972d719a2ec3607a94a3afe925

SHA1
725c91f8183885ae5e68d1b6a65c55edf53f3b56

SHA256
f3287b6b79905e5e8d653f84900edfabb17b11a8a9c91bf6d54b467d77e8047c

SHA512
d32d92dab4e129ba9990b33cf869ca3f6f8369fc7f2881a3f355a04aa55a63fe2b4950c33085ab1ce8f50f8b50a8efbba27f15c90906c7b3562a9f1995e2d833

Download Submit
C:\Windows\SysWOW64\Bghjhp32.exe

Filesize
2.0MB

MD5
b60877dfbc8ea3b94754b0294c17a2f3

SHA1
bf8ca64bda2bce361db8091f30951f07145c61a4

SHA256
b1ec0a6433a0436bd25a9c2d015d69c7d93efd3d8c8f4d259cbbc040976f63fe

SHA512
0901eb08cd4c909f94764e123004eb269820c184730ccb3c771e45c74904ad8119cc224cb9e829330fed697e97d3baa3941cb5984e8c6a970e7ac4e67a57d6f5

Download Submit
C:\Windows\SysWOW64\Biamilfj.exe

Filesize
2.0MB

MD5
295d78213c0b45ff068e748703264d95

SHA1
ec359bf857d85516a302fb51d64e3eb5575fc61e

SHA256
5a5c71db977c3c717ef9b37150e72a989f85ed2d292690cd40404eaf2d30569f

SHA512
6e6f5f10838d8a08779934dea685f328d086db7755682bc7bacd37eb3211f790943baae594e121cbc15765458cf116dc4d545bb27107b5fde5f84e2ea7786258

Download Submit
C:\Windows\SysWOW64\Bpleef32.exe

Filesize
2.0MB

MD5
3c3038bcf0fc02cf905b7abd4f682890

SHA1
8800b9750d3cbfd9592a94e04bd670d8b53eab9e

SHA256
c48feefcdcbe9ad0978c4bda51a6dc8ed9398ee04686a5f08dc30ff579542efb

SHA512
8c3b6633bc051b82a903bb1bf26444c4d25bd703da448042f14daa0a11b65eccbe10c634ef727e983c10d3b0969851343cdcd0e682e47b16ef566f237ce0d203

Download Submit
C:\Windows\SysWOW64\Bpnbkeld.exe

Filesize
2.0MB

MD5
9af48ec55bc74afdc3aa854f506982a3

SHA1
45fc700827f86dfd538ca05ba64e938ae033c7f5

SHA256
2ed5d69f14dca20fa2be556ea0321f7edbc646d12ab9fb6a9c08a3425bdaac23

SHA512
97c6c6d308896538c6151bda68a00a7b2ff7b7d0c10a0f37092e7a0fa1057432ae50a6e195e62663fb86043b7732b6589e020dbbe95b65657cd276bdb64bfeaf

Download Submit
C:\Windows\SysWOW64\Bppoqeja.exe

Filesize
2.0MB

MD5
422003d6801f71d4154f278b15c6b827

SHA1
749e3afcdb9852d8658480369d9c8aab636b893b

SHA256
388fa45fb197070fa128b13425704bf10f61fa9d22d4f41ae6c3cda858a98400

SHA512
b6fb14969393c39e630182b896eaa64a6381152d78a8b12bdb20a8e2d58fa9daca649fa5a0fe3478f94a2c85e5138773d0e5023940fe9a2de2a2e6c60d08bff0

Download Submit
C:\Windows\SysWOW64\Cclkfdnc.exe

Filesize
2.0MB

MD5
edd7cfb111adc44446f65a35a60ceba7

SHA1
99f3bcc1b8b54049c89b1cc6166a59bd4ce697b0

SHA256
fb7365b6424ca867cd67a656a0dd7183bf3dd45c3507c6ad25ad60abcc7c5e5c

SHA512
deabcac4d2d3fc7f99ddf18670074518a1216195edff65ed126e8f10008c78d45ca83e8f8028ef3ce26b74d79d7dca7abc0d734ec8fffa4a08adc6cea1314777

Download Submit
C:\Windows\SysWOW64\Cddaphkn.exe

Filesize
2.0MB

MD5
4c846843a78e27141ac089f42f3a640e

SHA1
1053d8b4f0340793fb912218e6435e947ea1e7cb

SHA256
73180c903f04ed3f018164b68770e58b14803e62f980058a75258a57d5404bc9

SHA512
0d2567f8918f3f87d96bc934131abd12a628df2ac36c7220ef8f591f09f7de6d087324b55dda8b8953e4894ae0086d7e4a80eacd384540c70f92e7a32792190d

Download Submit
C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
2.0MB

MD5
46d390fcbe66ccf1bad40c05bb79b2d0

SHA1
6411c44cb413836a111725b5743bb3b6204a4950

SHA256
e107b430916567a3652aba9a0b972f508469b9e0e6bdf2f296096be9164e4d0f

SHA512
bd976bc6a77cf88d523ade068509631455de98784a3f75b32acdb5065ea2883c95e994a337ff6a7cf718bda035f64d38614cceb293b0f316cbc7e170f890fa93

Download Submit
C:\Windows\SysWOW64\Ckjpacfp.exe

Filesize
2.0MB

MD5
a005aa03c153a3cec98d47c03c21a89d

SHA1
95f12692cd4ffa178a6f7ded322f0fd882c7ccb8

SHA256
64120bbde5aa8c463b834dce5d8433b00f61119072273e69c8ff8bc9828371f3

SHA512
dacf491517a1ddc6ff67c2371e5612daf55ff9fe805874bf434c049289f2ca3633e8f8963b8e0513960f939faa47c030f0069a544ffd3f10d781989ade66e7fc

Download Submit
C:\Windows\SysWOW64\Clilkfnb.exe

Filesize
2.0MB

MD5
7df764f4bd80fba3d18654fef2a1c5f0

SHA1
46c3a5f49c832443f8f1fcd31c2ce796e2a0fd29

SHA256
1694ba4c219e7fda335a1558d3a7a615c2af78123ebdac33bfc70191bc44ad92

SHA512
85ec3ebd422d096e856d11ef24381566e572cc2c6b79d1849b948f17476e04a9e692eeed3fccdc4e99ae373185e02e92be5af1e45a06e01a2a768dcf57de654d

Download Submit
C:\Windows\SysWOW64\Cnobnmpl.exe

Filesize
2.0MB

MD5
34f2cab2d68295b429e316f5c3dfd7c0

SHA1
e893e212be178cd7c705e356a44b3e5c5b38cc11

SHA256
2e2ffebf2d84d60c79ada5f0a0d6b11e71737b4b44248d18d884cb77c7028050

SHA512
d2a9826bbdf4ce53004498e236b5201d043f05697288f2d374ecd45e2eef715bb4ab0ee55a8ef38531ba31043a5c526466395ecad2debe1e1ddc893108887f57

Download Submit
C:\Windows\SysWOW64\Dccagcgk.exe

Filesize
2.0MB

MD5
513f9af8a1542f1acf33b4d079e30921

SHA1
346787656dc0328f7c38272549602be6cf37d29c

SHA256
bd96a83b4165e19c1093631932fb7e402588065b555586f6c2db0abcec350c8c

SHA512
4b040b47a0eedf7765a0b131b279f1cbfba9a25becb244fe1cce0e13b8c38fc72ff260885d166dcf6463abc31c4bacaaeee0a438db547499226e700cc2e56907

Download Submit
C:\Windows\SysWOW64\Dcenlceh.exe

Filesize
2.0MB

MD5
8cd2fb76c2dd8a08ec966020eba9942a

SHA1
b6e1ebee1cc28ccd0c273689b0161d974dde4b09

SHA256
c70b7543bd16e525223d812ce880c6a06df357c33d8a20756d679c468a43196e

SHA512
0f01942535189b401fcaa80a2deace75c441574c4b94e0f5616c3ac816dafed4096bbae921cc4d8ea249b9bad7f79d8d7052e78ed04b3b8cf64e6f8b23a67254

Download Submit
C:\Windows\SysWOW64\Ddgjdk32.exe

Filesize
2.0MB

MD5
981f4592f000dbc4cd54d74db54340c1

SHA1
493291aaf48cbd41a139f915931347dc742dc4d0

SHA256
748d07dbe4eef155e507d61dac28a0ee7693619d7ecaf044473b8287aa0ebb23

SHA512
3b1b71bedf7e70ba3f748d92dcb7782a90bfc0c8a5ae06258ffc55f4508d34fb11f993937f3b57dc2b2e7373f659296e802398f7d9553e48e6c54ea4ee070ce2

Download Submit
C:\Windows\SysWOW64\Ddigjkid.exe

Filesize
2.0MB

MD5
ef43f758176d041f5fb11f91c9473945

SHA1
2a7694632d2076b69b6d796211b5a1c5faf074c4

SHA256
b702f1bfd99ea17c35e3765126665dd48e6ba88af00b5e85b035358f3d60d567

SHA512
7eec11bcbf1c60c5afbe7e9e5d8a4873043a59faecaa2203af75d234f04d119175bb75e27b0fb31c6c377469bddf746992f3079d29de107c7e014003688323c9

Download Submit
C:\Windows\SysWOW64\Dfoqmo32.exe

Filesize
2.0MB

MD5
b7c25b3d168bc15c83bc172ec9326dad

SHA1
da4bbfce2fbb7cff3318f988efcd1e838946160b

SHA256
5bfa9aba8fec179d722814e8f16ffebb912c30846f09513e4bd3dce6a96a093f

SHA512
c9bce689f225b9309f0506203cf9aa30884af338759e0bbfa0d0a27f711bec0a35d5184af810d974ff0cf78fe7cc25aa8252cb09a638ff55d7cfc01ba5828b0a

Download Submit
C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
2.0MB

MD5
83a1471ce0efc1a4a26af87a726ac5c6

SHA1
50691ebb41f57c77f6f57863961bf396ecb51706

SHA256
2afc297219bdea629779032bc0fc50b4a3045f694668fe6f34720aa8a3668e65

SHA512
e6db9d81d376c91449e85f8c0571c4c0ade12d6f2d2d27e70663fdbf88ffda9c5c606c204ce43b22ac24de3e064dd5b1bdf359eab9d009e3c7c4bd0761c2a829

Download Submit
C:\Windows\SysWOW64\Dknekeef.exe

Filesize
2.0MB

MD5
1a767186703b6f428bc8e0a3594e6b3b

SHA1
29811680406efa097b30cc160e3568a3f8958349

SHA256
1ba1c51e79db821216cdfeab2ff0ba81933c2cc0028c80a4b7ae1e1c327742f1

SHA512
91ca35c0b3e73f11f551ade9a17dd951a5e1edad840088ed1dda5e637368d28dcbb9a3905c661e6f9339733187dd4ff01246c43e752a9de718fcfde692ef8903

Download Submit
C:\Windows\SysWOW64\Dkqbaecc.exe

Filesize
2.0MB

MD5
bab05c14b61ee39d1e8aab9947aff7b2

SHA1
0ee89189fad21fd0b049896e85a9388569d66bcb

SHA256
66b8c07713eae34ad141a1c4c88cfe237f1854dfda57ce757227cb0e26a786ae

SHA512
1a999f140c0ff523d5224b1a93248a2d8af5d40c79e496cccae9d959a6e5c8e840dab563509581a315eee11f99c4a735f0941f1142d947974905a352713b4302

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
2.0MB

MD5
96bfab23e592be8d88fe18969e36b941

SHA1
0ebe9c3fa1b720fd3882cd497b947c3435aed183

SHA256
3a161baf49d81da04916d63b0c2f56362ae97cfa4e86a03c948b25b25629debd

SHA512
1d9dd66a03d6c9de3d0a3394d52c8bca8926bbb6ce9915db5948d059fdfe7c9197bd28bff81a37da71ec6df43492f72f9f3a79c3d678d1f03a6dca7da209e227

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
2.0MB

MD5
6b2a506c8eb82479ef6ec67ced8cccd4

SHA1
b1822f5549ab209d3e08b45881cfedf6179b7722

SHA256
f51e17c10dd6930a97816f837ddaeb00e17b2a80619c7f0f28e7b12bac22b2a6

SHA512
6d4b1316979e49154b3ba4e0b2a2ab702d39f98f0f576dde189a4e51677625534823848912dda5af2d86edd3d3951bc01cc8f9b29adb97a23fb7ac1d395238ea

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
2.0MB

MD5
1a9ba38a38b487a40da2645aa277c5b9

SHA1
1768b2e8e740c7a9ce35485f406a5b778b627fa1

SHA256
91d7fcc6e0fcc78d7740b07f8158088ddc2fb670a2de52123d14e4ab05329e95

SHA512
5e67bd9efb9ecd185388995c97a4eb7c3f79247efb8fd30f8eee91cbdddd263818e999a643695c0f3d1fe7ccf8c5e051ecc730e9e4efe2218d1aaa7e99217f53

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
2.0MB

MD5
f5b94c28fbb2919e2aff83962d4f0080

SHA1
8159247bc533f3854679d49ce0210f525d2b15a0

SHA256
889bfbada675605b9851257bbfbc56177bf29ef985de15b4748c8d984f4dce75

SHA512
6a329b7264350c76e20226f6e4c9f495640d2281d8b2f5dd5265b98ec37a57c0c5f89614ebaeb352a8be3cbe65c8567ebbd1997111a6f614f8342eaef557f746

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
2.0MB

MD5
e60eba1f59da3c0afa40b9ecc780c16c

SHA1
963758e51270f8a30c915baa2003fe139743437a

SHA256
6a7b880a105c0334bc8582e5773254e923f8b98e3bfccd26ffdb6826e19da82c

SHA512
385a5b70ec5a76937c957e5428ed1ee742bd4393bafc769054c1cef5474632d267faf634ececc4c5a94c2005d0b01e5977ea2756e180915c47cf45e04fef96e2

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
2.0MB

MD5
8729856b9be417cba84002e2ac15e596

SHA1
0657dd0cd90e0658eb973780aa58be7175d45cae

SHA256
38fc4439c08498c5b45b22d38e747e789c047fece06f1a873e10dc3dd79d0495

SHA512
da062ed61e46703a5f48477abe587e9dbb4547bac2ef27f6d802da84a3f8aadbe6f37af2106bc29dfb804377ac601c78e3cb60da5fcda8c1779e497fdc38b73d

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
2.0MB

MD5
f2fc248ec7c25499555bcdda580c6bbb

SHA1
b35ce5ab2aad0953aba15d502cbd39c9d8761c1f

SHA256
4329ff26879018277f6c1dc5b396e1db10f621b62a7a8c838c454fd9ff681099

SHA512
8c12ad21209a47351c475d4bd99fb8ca0784247940e8af4fdd5eb65e668cb189d6bc132a4d782d003b74869105a0722425d5ad4e13bdc56248d5f00647b5b765

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
2.0MB

MD5
8b839378df0482031bc8b6b2e12de2b2

SHA1
271c2a0442e3cf57c7db54d8c30f4d00f36e34f6

SHA256
c2ee8c6b52b04a4c8bfb02e48682478b6d371aef8eba270c49ecf0c3dfcb2472

SHA512
7ecffd506912fa25c1c021c9bea574635899f3c0254d4ce98fbdf327c32a7eab464090966a4fc6989d9ea2f52849abc1e8e7df8801177dc6efc79a21729478c8

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
2.0MB

MD5
d387661e8a39822d566adbe1f9651295

SHA1
f25b27f64462a19ecf08badd80a6ab7d0d3a587e

SHA256
57b38f776c84596d65a9fe9e3bb4d43792f088db756e13c299cfde466569e5b6

SHA512
f4b38542d83e8d33536fee4ef12b584147ef1eab6aa0325504f2ba87aaae1885dfbead98e3249e2683a59d322db7cc4144a3239018ef585e3f1a0850b0dc6db5

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
2.0MB

MD5
d7b56525e324e1d2a0da7d131ca08b8c

SHA1
c1bb11a6b29ebdc56fba94748c29a6f57cf21e82

SHA256
37b9b3e4e4ddb051dd0b59fea879b3e1db4e241e1d2cd3d84f33d9a7f0e5602d

SHA512
b679b3a756fcf7573e1218158cae6815672dbe24a19490b2422f479d31e5ceae672cf3e1c1c7c1e3017f506df107c9463415066ab5bb5693a00bb52c322207fb

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
2.0MB

MD5
46919d892fa495d5bc392bacf72dbf52

SHA1
7609e75bc468b8d1bbfb555e135905e24acf8b07

SHA256
428673b6d166ec436391452c1b8db00406bc66eab3cabc70bdac69f81b4d6756

SHA512
7d654ad4e0314d7d19547c607be4d7c313b014264b0f41af3c67e70ac904d7fa282d1a6cc8aa144e925d9d99970933843c7dffc2926d832a20a928479af9a5b3

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
2.0MB

MD5
04b7a5fc0f0aa467d8afafc971b3e0c2

SHA1
16a63ff762fe55797bac00525c0856d766ad570e

SHA256
225cfc4bbf80032f50279749c33c8d1763e07b649ec6be07287104e38fa854c8

SHA512
a616b8904ae37b498fa1fab57b9f82f21b89ac71cc7dc49b07ad78fd0bcf2feea9eac84d69c9363900969469b158c8a472e8985efce76d983898f2106c37f168

Download Submit
C:\Windows\SysWOW64\Eqpgol32.exe

Filesize
2.0MB

MD5
342a431981568368a28f6fb638ba3af0

SHA1
722527699c6ae385b82ff3f0855e2f72fb8e4b22

SHA256
6699a5f44d786a384359457355c6c293eff6ae1ea307d71ca8e7fa0c9226fe03

SHA512
763703f602435e1bc76966ccdaf1ac4d2fc8ba452536d48513e20ef0e83167c20dfd1aaad81140ef487f7e726e2e28a879343c52c43c5d0f2f41aad70f4558ad

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
2.0MB

MD5
5a85ea1efc645c9011d0d50b98d6a29a

SHA1
02f1a276454e8a72d8d3fbf80e85a830977c93cc

SHA256
e017a2e8abb28730911ac3f56fcca5fbac27a3c0f03fc586ce88b589832a1f71

SHA512
4595baaf85c97cce0d17f6e7ad07da1d62f87f5e06ca55b7fa71cbd172eb04c4435e9f8d63f2862447585625cec6652dbd8aecbe11246e68458204a35d8c097b

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
2.0MB

MD5
142c59160cf8e5032e076da2231ba5b9

SHA1
5498476944175be18c9089d011352b5024d475ae

SHA256
1774953a2f7d3de2da3545421c9670a7e1498d5a59cadc6bf6e571a8e29f1bf4

SHA512
0fd8b53908350fb8e51e7a6252dbabfdb0ad1631fa04b7eacab470a0f9080bcd83b92b5bae9d9dd2e7bac86901e64ea2474a4e8a513a3a65f12cd9a1c1194621

Download Submit
\Windows\SysWOW64\Cdlgpgef.exe

Filesize
2.0MB

MD5
ab7dcae94721800c46c3a61e02c2370c

SHA1
37258822bff7427682e56378517dea92e9b221d4

SHA256
abfb0a059f946bb580ef4e6e457feb85606835d38fb58c6c0993a1a8440895b4

SHA512
b286c547b0a1bd4bbeee146770775b9bed970ad4f843684a36ab7fe780aa4f4885eb579180fde1f1014511adbcc159ce0ae1f44f89e6a9d2cee6201b56ced38c

Download Submit
\Windows\SysWOW64\Dpbheh32.exe

Filesize
2.0MB

MD5
b6e33df10a5e90d25a91f068e17e4565

SHA1
61d9e4477eb3e116d8646d065464fe210f23ed5b

SHA256
be55b93d6aed2b05360b81813a50146563d5f46bcb45bc5eea64f9bba66b6478

SHA512
2b5d8f6f38f6164fda71c80b47a86b44d9f20dd632a62ac913850825e5a16faa807518d088721be71de3de028c9e00054d097ba3fab49825afc8d5abb4c77aaf

Download Submit
memory/340-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/340-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/564-324-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/564-325-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/564-237-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/564-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/660-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/660-279-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/660-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/660-173-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/756-197-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/756-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-290-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/820-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-260-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/820-356-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1060-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-27-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/1060-104-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/1060-28-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/1060-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-372-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1460-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-226-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1596-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-389-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1596-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-248-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1640-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-401-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1660-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-311-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1660-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-165-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1788-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-424-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1868-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-403-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2092-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-321-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2092-322-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2236-102-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2236-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-6-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2236-13-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2236-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-300-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2412-391-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2412-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-323-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2572-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-43-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2592-42-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2592-134-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2592-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-171-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2600-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-85-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2600-86-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2604-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-205-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2608-100-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-51-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-58-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-148-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-358-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2704-375-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2704-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads