bc44e6633cd510f973069b0bd36e16805f826d2651ba036b4e5abb19b817d960

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09fca3bbe5a84e4c3633ee44df52c7b0.exe
Size

93KB
MD5

09fca3bbe5a84e4c3633ee44df52c7b0
SHA1

aa51daf558d91a0c8dd8caf1c33b66085e0398dd
SHA256

bc44e6633cd510f973069b0bd36e16805f826d2651ba036b4e5abb19b817d960
SHA512

04882fca41d0369aa65b443206b7bab12a96a71e0fecc36e4017fddf93676acbdcf6ae23e2436bdc76f0b7f8e1c7a854a33aae4acde1a5b35f0fc9927ee9bb70
SSDEEP

1536:lNapglX6P7eUUsqSOGyd5T/08S4kMz4o5xZfsRQNRkRLJzeLD9N0iQGRNQR8RyVd:lNegAeUzDyd5ThT5xZUeNSJdEN0s4WEd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	09fca3bbe5a84e4c3633ee44df52c7b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	09fca3bbe5a84e4c3633ee44df52c7b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe

Executes dropped EXE 52 IoCs

pid	Process
3136	Ojaelm32.exe
3472	Pqknig32.exe
4592	Pgefeajb.exe
2428	Pjcbbmif.exe
880	Pggbkagp.exe
4048	Pjeoglgc.exe
3544	Pmdkch32.exe
3816	Pjhlml32.exe
5036	Pqbdjfln.exe
1868	Pgllfp32.exe
4472	Pjjhbl32.exe
3876	Pqdqof32.exe
1736	Pcbmka32.exe
4132	Pfaigm32.exe
2132	Qmmnjfnl.exe
4016	Qffbbldm.exe
1600	Ampkof32.exe
508	Ajckij32.exe
728	Aclpap32.exe
4680	Ajfhnjhq.exe
1864	Acnlgp32.exe
2284	Amgapeea.exe
1252	Anfmjhmd.exe
4428	Bjmnoi32.exe
4816	Bganhm32.exe
3428	Bmngqdpj.exe
884	Bffkij32.exe
2676	Balpgb32.exe
3776	Bgehcmmm.exe
1680	Bmbplc32.exe
4296	Bclhhnca.exe
2840	Bfkedibe.exe
1648	Bmemac32.exe
4688	Chjaol32.exe
2668	Cmgjgcgo.exe
1504	Cfpnph32.exe
4404	Cdcoim32.exe
3056	Cnicfe32.exe
2248	Cmlcbbcj.exe
3932	Cdfkolkf.exe
4260	Cjpckf32.exe
4008	Cajlhqjp.exe
3092	Cjbpaf32.exe
3216	Ddjejl32.exe
3704	Dmcibama.exe
5020	Ddmaok32.exe
4040	Daqbip32.exe
4412	Dfnjafap.exe
4220	Ddakjkqi.exe
432	Dogogcpo.exe
2452	Dddhpjof.exe
4700	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	09fca3bbe5a84e4c3633ee44df52c7b0.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ajckij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	4700	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	09fca3bbe5a84e4c3633ee44df52c7b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	09fca3bbe5a84e4c3633ee44df52c7b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	09fca3bbe5a84e4c3633ee44df52c7b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cmgjgcgo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 3136	3332	09fca3bbe5a84e4c3633ee44df52c7b0.exe	83
PID 3332 wrote to memory of 3136	3332	09fca3bbe5a84e4c3633ee44df52c7b0.exe	83
PID 3332 wrote to memory of 3136	3332	09fca3bbe5a84e4c3633ee44df52c7b0.exe	83
PID 3136 wrote to memory of 3472	3136	Ojaelm32.exe	84
PID 3136 wrote to memory of 3472	3136	Ojaelm32.exe	84
PID 3136 wrote to memory of 3472	3136	Ojaelm32.exe	84
PID 3472 wrote to memory of 4592	3472	Pqknig32.exe	85
PID 3472 wrote to memory of 4592	3472	Pqknig32.exe	85
PID 3472 wrote to memory of 4592	3472	Pqknig32.exe	85
PID 4592 wrote to memory of 2428	4592	Pgefeajb.exe	86
PID 4592 wrote to memory of 2428	4592	Pgefeajb.exe	86
PID 4592 wrote to memory of 2428	4592	Pgefeajb.exe	86
PID 2428 wrote to memory of 880	2428	Pjcbbmif.exe	87
PID 2428 wrote to memory of 880	2428	Pjcbbmif.exe	87
PID 2428 wrote to memory of 880	2428	Pjcbbmif.exe	87
PID 880 wrote to memory of 4048	880	Pggbkagp.exe	89
PID 880 wrote to memory of 4048	880	Pggbkagp.exe	89
PID 880 wrote to memory of 4048	880	Pggbkagp.exe	89
PID 4048 wrote to memory of 3544	4048	Pjeoglgc.exe	90
PID 4048 wrote to memory of 3544	4048	Pjeoglgc.exe	90
PID 4048 wrote to memory of 3544	4048	Pjeoglgc.exe	90
PID 3544 wrote to memory of 3816	3544	Pmdkch32.exe	91
PID 3544 wrote to memory of 3816	3544	Pmdkch32.exe	91
PID 3544 wrote to memory of 3816	3544	Pmdkch32.exe	91
PID 3816 wrote to memory of 5036	3816	Pjhlml32.exe	92
PID 3816 wrote to memory of 5036	3816	Pjhlml32.exe	92
PID 3816 wrote to memory of 5036	3816	Pjhlml32.exe	92
PID 5036 wrote to memory of 1868	5036	Pqbdjfln.exe	93
PID 5036 wrote to memory of 1868	5036	Pqbdjfln.exe	93
PID 5036 wrote to memory of 1868	5036	Pqbdjfln.exe	93
PID 1868 wrote to memory of 4472	1868	Pgllfp32.exe	95
PID 1868 wrote to memory of 4472	1868	Pgllfp32.exe	95
PID 1868 wrote to memory of 4472	1868	Pgllfp32.exe	95
PID 4472 wrote to memory of 3876	4472	Pjjhbl32.exe	96
PID 4472 wrote to memory of 3876	4472	Pjjhbl32.exe	96
PID 4472 wrote to memory of 3876	4472	Pjjhbl32.exe	96
PID 3876 wrote to memory of 1736	3876	Pqdqof32.exe	97
PID 3876 wrote to memory of 1736	3876	Pqdqof32.exe	97
PID 3876 wrote to memory of 1736	3876	Pqdqof32.exe	97
PID 1736 wrote to memory of 4132	1736	Pcbmka32.exe	98
PID 1736 wrote to memory of 4132	1736	Pcbmka32.exe	98
PID 1736 wrote to memory of 4132	1736	Pcbmka32.exe	98
PID 4132 wrote to memory of 2132	4132	Pfaigm32.exe	99
PID 4132 wrote to memory of 2132	4132	Pfaigm32.exe	99
PID 4132 wrote to memory of 2132	4132	Pfaigm32.exe	99
PID 2132 wrote to memory of 4016	2132	Qmmnjfnl.exe	100
PID 2132 wrote to memory of 4016	2132	Qmmnjfnl.exe	100
PID 2132 wrote to memory of 4016	2132	Qmmnjfnl.exe	100
PID 4016 wrote to memory of 1600	4016	Qffbbldm.exe	101
PID 4016 wrote to memory of 1600	4016	Qffbbldm.exe	101
PID 4016 wrote to memory of 1600	4016	Qffbbldm.exe	101
PID 1600 wrote to memory of 508	1600	Ampkof32.exe	102
PID 1600 wrote to memory of 508	1600	Ampkof32.exe	102
PID 1600 wrote to memory of 508	1600	Ampkof32.exe	102
PID 508 wrote to memory of 728	508	Ajckij32.exe	103
PID 508 wrote to memory of 728	508	Ajckij32.exe	103
PID 508 wrote to memory of 728	508	Ajckij32.exe	103
PID 728 wrote to memory of 4680	728	Aclpap32.exe	104
PID 728 wrote to memory of 4680	728	Aclpap32.exe	104
PID 728 wrote to memory of 4680	728	Aclpap32.exe	104
PID 4680 wrote to memory of 1864	4680	Ajfhnjhq.exe	105
PID 4680 wrote to memory of 1864	4680	Ajfhnjhq.exe	105
PID 4680 wrote to memory of 1864	4680	Ajfhnjhq.exe	105
PID 1864 wrote to memory of 2284	1864	Acnlgp32.exe	106

C:\Users\Admin\AppData\Local\Temp\09fca3bbe5a84e4c3633ee44df52c7b0.exe
"C:\Users\Admin\AppData\Local\Temp\09fca3bbe5a84e4c3633ee44df52c7b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\Ojaelm32.exe
  C:\Windows\system32\Ojaelm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\Pqknig32.exe
    C:\Windows\system32\Pqknig32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\Pgefeajb.exe
      C:\Windows\system32\Pgefeajb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        53⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 416
        54⤵
        Program crash
        
        PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4700 -ip 4700
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
93KB

MD5
0e124b92e56e95d5187234d66af3472f

SHA1
8dea31149b410fcf17f24d5d9256b546138aa0e6

SHA256
552e91a0175397975b712a98f375fecd443a98f9098eb61cbe0e73be21708483

SHA512
ed1c054d57e31aee1bdc2cee57b888be4a8a199e77679477fb03babd174b7be5f52a597c546c0f1780446da086ec21cbc58bb956591b9c5d709fb8f607fbd8a0

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
93KB

MD5
f4c831d1e58d1a1ca26f5dbf442e7aa4

SHA1
fe277460043eceae5cb9bff5c0377ce0d9f7af37

SHA256
c6649b3c27c66e394386bb310395dd3997e873d11383a950967ac5902ead7e19

SHA512
a259e0257b7393c15dce105be17504af6cc85f5084d392bd42b21422c8bfd59dad5934cac9eaf9c3569b757f19b97c0d5cb42d833fd1f059e6b289fff8ea9401

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
a9921a8672a8a7a41b3fdcdba5b989be

SHA1
fa92954d50405cc2df7d897c294d148e82578e92

SHA256
0c246576914e8e03bef33ded072824fd09312d0e0601b65fe298b46d3cf98590

SHA512
80913777291755b0b807f5c41a1e3c80fb116fc4c32eb859bd59d2f06394efd29bf953702e3768f0643aff8487f56096792792c9ead54676b30410462d37f265

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
93KB

MD5
b0847506994e883d0a9c763e22905d3f

SHA1
e0e0d035abef93d99fcc89d59e428ef846bc31a4

SHA256
048bb84b6c62217d22eda6f62588a26990ebd977d982043b5f489be51488bfaf

SHA512
1e1a37310622900acf5b8cc3ac63a3c4c47a4a8d96ea114e17cdd3f7603548cb54e74308aca86a32458129986c1ec0f3926d50e0204d9affb880cdb590c7acaa

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
93KB

MD5
39f157469ee7ce829c818a7ef76da01e

SHA1
a6f7ac05bd643adad47495facee2c4813a0c74a8

SHA256
a97983ef3a97a19d2d3fd25acf76f2545997197ecdf3b12c4b00496ea13c8bbf

SHA512
6c9a22869b84915595390904da25410b51690798c2bb351e5b3c96a823e307921ea28d5863baeab1d544f0ff56a4388075cf751100349544fd320aea286bbf7f

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
93KB

MD5
1111e1b98eea453251ece51d9e18087d

SHA1
45f4c52e6da2aaa47d164c281393a322f26bd1f3

SHA256
a3c9b264c69ff902305e03e29110d4a63e964de839829f6e1851c287eacb89c4

SHA512
ff821335dc192f8f45cb59656ab2a1f06bde2ccddf460e66f60af1d9a997091c7158c02bef65a13af0c23000c03c3323a1949486a03c0042abe1270483d6e8cf

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
4d33bb0f5773764e4b4cbd51244da3c3

SHA1
2bd5511ca2c79344917851a9a42ddf8bfce05b6a

SHA256
5271e470eb6d2b7516da3e8c4ac501bee27f1ef8e8baed3a514a2aadc08b124e

SHA512
b20f351db47718b151028ccd3c7a751f9ac25e986f060af2f6e27c74132fe4a93748329a67ba9c33ab112f39ed497e9c74250f275edf8707351dcffaac537d17

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
93KB

MD5
12427c5f730ca8b52db51e217186413b

SHA1
50fe9975a680652d4a8f23bfc491a2f6c3526639

SHA256
b49612ccf37389d9d8b6299c9119d2783e6463985b2ddd1aca5aaf5a8107a3ba

SHA512
133198a92c362b04dc1421624bc88ac3eb880b764b0a53caa32ca12528d20a5ca8af22a82c35c152ccc78a98a68516b9742eb3faeb3aa5ceec6478e163bfeb6a

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
93KB

MD5
daccf4e4a913278715675e7b84a10155

SHA1
79378d56bd2d444b42bae5cdab183f1f94c33a89

SHA256
4c32c4b2ffe8b9d6207fc57ddd87c3c81f0f79cf63abdef77e07ed27c33de543

SHA512
e2adffc8114bfe1c5b527ba9ccdecf1ffa130820ab8e1a5d51d457aa2a3e9b2f895796f87f4d4db33593e3bc64da519ba78b34fd9427aacc1e8a1a4ec4f9f4a0

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
94cf7817a641406a1a057c190220bb28

SHA1
bbc1a4f6d488769a91b8c5090365d0ab3913c176

SHA256
f4fbd839e6533f0cbcfaac530814c9479dd6014e9427d5918905aa517f85560e

SHA512
1d037a3cc353ad9f292c6130c85f5d009489d090c0a515a7a8fe9b0b52161a1bd764b3b9dfea88279888572a6e73a8e302caa197c7b3d8e6dd5a07b90007290a

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
fd8cf550598b9837ff0f6ea87929345e

SHA1
c7404c9466f5165c2dae16b54f0948602016f779

SHA256
eda5f5a2ee5f5ada2e4fd90ea39103dcdfcff5ea237e9dfb657ce404fa100d49

SHA512
9a4f44b4e80c04ada71b4e6b650b8c9489bd48a7a4a12aaa6fb4a65b08cb303ebe9faf753e9367dd3b45e8fe56f4985d9d4589a109a42037ee241bd632a85e58

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
0b59c212235fe8ad6873b3f5b882af0e

SHA1
f3478394dc80cc206b7f9054ea4dff3998f5af1f

SHA256
cde2fd99e44f49eb3e4713c6d436afd1e67c25f25d81d6a9493ccd309479157a

SHA512
9f165959ca97cf222e00ee435a2084e2dfa80d4855a8f05bd8ee94444a8df0f6d5a86c7e37e957cd009868148c5dad5b2a6329e06e62f46c518848c316b79874

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
93KB

MD5
15c417296fe137659196a2cae663fc29

SHA1
5c05abfd34939bd8172052ae01060b0f131fd3d5

SHA256
734b9ef9d8296e05713cf8c4919247467a1b9bebcf798af83bd35c5b0835569d

SHA512
1f1ed355912a3f96f4357727d68b0fdeee494841d01a2eb5134e5155ab6b5c0fcb0e1ac3d907df7841e1cced7c7e192bb98e7c82b6fcde357a309c9f24a1b6e5

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
93KB

MD5
a99d8ef4c1ab54658fa4c2f78c1a0550

SHA1
a7b76ca684aeafb17600290c326c946731bfad5b

SHA256
b4e1d8874ebd87915d5ee54c67a1f7da28aadba0d772c45c5aea34dc89a55316

SHA512
c2f72c55ea7e6c9ddf10cf4a1b137c3e68a314d035e282644c33a3947d24095032597e04447959e6639c0f8c2c6142ab2fc659d8910b77d2e46cdee17d735878

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
93KB

MD5
6d1dc2ea01746b248ea20ca61c6e30a2

SHA1
08b84ddb347f1e537f15f9ea14766798b4c4361f

SHA256
9a752b76610f795865169fa85c129ebf40722079975a150d1c534d769e0d88d0

SHA512
23a2be27c79c5fcea8e0fd91a9daa3608afcd04c77b25469c7deb9a287882f5c9eede9adb5ceb8b98e3663149908b6cca747995f5f77f85892ae85973a7c4c47

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
93KB

MD5
be61e86250b1812eb935fc0c8fa3f709

SHA1
10718f020634c81d510a6dc4e923d4b100c645dc

SHA256
e980878c2c331b3b71e4891acae71a31ff06b9bda5857d4b697a58ec0774f9fe

SHA512
e28deb578d41d0997365462685df836a7a4ff540ad6085d25acfa14d408735350fbfefa63485bbe441e1440f384582a5c5e522399101d5d8267fd0ae0dac9d24

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
e083f8042eeed2860295561dfb66c13f

SHA1
f938ea4dd63106a2f0df1be74368fa3d9dd81ac1

SHA256
9993ac2b8eea3e3967e1a9e69b9ee252ce4b16d5b26805443002fb416c1dcb9d

SHA512
85630711b790216eb7ca00e2058df2835a606462d31448d736dbf58b44b49fc8c55406093ec4409bc817e19b68aeb67dc10be32a724f2b83a57ef8754a0410ef

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
d7e1fd1b380c20e6cb51baa9d5ae8104

SHA1
375c1fe0256c3a553d2ef617e0a6f9463ea46cf7

SHA256
88a86de1364a6538cc9916f2c338581ed4aea783990ab4ecdb5cab809d742764

SHA512
dad96561f2eac1b48ab4c93eb57d595c66713b45fbec402a65d1e248f1d71856a651b3e835bf56c9979cbc2030f1097d423cc912fd7116ad50209466fff1f18b

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
93KB

MD5
37c468b92dc206921fa44ece5efd3378

SHA1
ae33bf3f03c28ff71bc5ff5aaad2a97d810003cf

SHA256
eee302031ec16910bd12f5fc75f86930ef7f2132e02b17e7fb828be40459baec

SHA512
a99907f38968ed427fefc2a51356db7455b1bfc8a4ea26d0cf96951da0fc64123f47539c08d7217d77f47064a3d1adfa03b7c87499fda2c840dfcc6d4b1dbb75

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
93KB

MD5
5036e82207d62fec0ee67737be14d92b

SHA1
5846f1c572e349750e2950a4daefb9bd697dc79e

SHA256
84260d58aa9f70acd2df4776e5413d15de6a6b56ca5fef38be680d32c76d0c32

SHA512
68689b1451cacdb9de4141a3e6f53ee923df444532b04b1ef72f8d07f8f04965bfc472723bfa4239ea9ac3330e5cb09b5e51659fe5461e46355e99478eaa7c49

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
fc3ab94dd6821240200d54636059df21

SHA1
008d9e06f6fffcb084eb466aa29e3d6280b30f1f

SHA256
aa2853b3953d95e3d3c5a0be97262d44713b2004938cf0a4ec57bb278348f08e

SHA512
ac35f302d112f51a9f902072674ad44706f867f012d0cb09f1ac344e80aadd4bde427e73432a6bb61835f3a3e282c32ddbe929f6d183b8df2713e81e4c59d8dc

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
93KB

MD5
131abd81b7b5b9057ad46a3db852cd81

SHA1
81660a606b58ecfa49efc68f12c3724a0c0a577a

SHA256
bc078496daa28ed0dcff273492f421b396ab9f2e0d8bcc9dc340ae0e66dbf94b

SHA512
07fb971b58b62bb92958d882317ab8a7325e2c6e56ba55c505dfe0bc4645665f757e3a19a16e83e745aa47795f547ab0216c817b482115860e9240f537e2e903

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
93KB

MD5
f1519049ab538f895de736308d50e946

SHA1
ffdd296e0c41eb699e3b93620eb8e28c9d544924

SHA256
609cd5004bd5e2bc0227745956301d0fe1bc3656304598200ba69f869fbc1211

SHA512
b39eb23941a0bf7ac20d8aef42bbb0b5ffd124d0ff82b7e86ac53b9af69d669a6a9e7b11845f55478f59d651fa6552f5c60ba4319385285c0cd0963398d36f4c

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
93KB

MD5
6e0070f07a316274eb151296536e78bf

SHA1
e99bf92017a2b14bf9dd4513d2299c235ac3bd04

SHA256
af1e4e46745e7e1d07f84c599348f703e52653aed4abb77820a50e546343318b

SHA512
e654372e61689a1e01e57b06a3d85a78721f541d06a8920fe75593df614d24d19085921d36f5321c7a75daa5db31c7eb1ba4d0d2b4c85367b9e8a41f6cc1b85e

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
33ca45a9c240da47edb1eb526b8b6079

SHA1
f52d2ae530d942d51551c223177bd8bd8fbe8f75

SHA256
57167b994b25930f03aa69044ff2f74bf899535d1f49a581cd3ebeecc5c242d2

SHA512
7d5bc9551d866f02f54273e837b4268ba4840260e13cf598a2717b40483affce51cba01a3ca7eb0f78dbbcc43eefe67dac291cb021b6be3f56bd6d8a883a3a63

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
93KB

MD5
4cfd88488227587943cdb1275d2ebb9c

SHA1
a8718a7ed9006b0b26928f4d9f236628c74627ee

SHA256
a7c9d7f304579219b2e1fd2327a79dff2b8f3309c9ce85188630d445f6558dca

SHA512
f51df3faf84ab1f1b3996869d52f08f8a2f9804e8d2394a6567b65455d14b136ec8f1486650ef60c8078809448f59c46a073dc7ec1a14b99ec912a77c5afaac3

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
93KB

MD5
f6206ded04014ac924821ca4508b9157

SHA1
ca56c923f57e3f201afb613842001b3cec20f777

SHA256
c17c51861c24ebea3071506ca56fadbc7c14cab29448659773f9ae071ed2db7f

SHA512
a6ac2df6b63cc0b69080c536effe6efb10f3deb008c11613a0a0e8e64c17496e65bb851a4de74cc94f047de6beaf4bfe0419da76f5659ffe7ede8a614600db97

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
93KB

MD5
530f22dcdf933f00fe4ea6725905a108

SHA1
106bd6b6fb3c9f8200fbb89496f617edc42bd566

SHA256
b8c644fc12cf1147a9e412454375bc400eb6f1db66323b9caddfdcefb6e46f5d

SHA512
7d2beedd161215f9d814fe92eb7f9821a10f0bbac83fa7300f1560e6acb6fed859c9869516942ddf368567808f9fd172f22ceece0124a12b927d356c14906ec9

Download Submit
C:\Windows\SysWOW64\Popodg32.dll

Filesize
7KB

MD5
4a296bd2067e68842638ee79e1b8168c

SHA1
fff1c8262e759ea13e76f82d0147aff91f25f812

SHA256
eb9b39bb5a23dbd74e39a5a378b7d9bf8ca00b004d66a895fd531394f9aa43ed

SHA512
8a9430f79259be421a1b02a8e9d5fd5caee1d62efa55d98dfea807d84b094c505877448bfa0233f7087d29b1df6f9ff1ad6fe9d777340c99beaae6008cb77653

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
93KB

MD5
dde8e66cbf3575cff9ae8d4c18929558

SHA1
7ca9697a4a0dd61a5d312013b79d8954945b5e74

SHA256
82b0e334a69feccf73bdc21a9fc493b0ef5f604b7135a37d88915f0060eb0737

SHA512
d6d4afbb8790bb418da0c194515a2a6e618544c2d06d44ca926f2e1d233dfd5b44946afdd32b022429043a5cd0c0214bbf4e9b4466844be526c6f4086f1f4d3d

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
eb3bfd80e21df564cb4aa0d47b8d4804

SHA1
b2d53fc1ad04e6aad47ae5f3c1a82d1aff92d29e

SHA256
7cfc5e5db910149268344edfa7b143b84c112b8e9c22775a49f7635b25f574de

SHA512
05022c693b4e97033ff38354de15ce30da084523d6ef52c65a438552312c46ac6726d2447bddcda58f570e65c48570089e00e1adf4ebe7ecc58f18075bebbb61

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
93KB

MD5
8e99d1103e2b1914f86b8f2f12ffa621

SHA1
3ea831eb7096afeb7df9752ab3ed3ed2eae61fd2

SHA256
f6f9a75e405e9b40ca6239107bac0dd4cb4c83e42a820fe54285dabe35ec759b

SHA512
142961bcd258740d7866494565f0258f7edb8c60b3626a41aad6e16e848ec94ff2b162dbdb2282ccf7c24e282e9ef3a85f715dad12ad81d3ad0e18a7b96c54c7

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
93KB

MD5
fd0097e974e7ecf5630f62775d63b1df

SHA1
43de6d5f9a78bcdebb74971a33797c031f8e5823

SHA256
ebb37a0c1f3b9cf74b8b7e07b2cb4b23058ce594a455a5018f10ea67bd6f9bc9

SHA512
29a1c26d311e655651d59b3e6383f8280828ef5ef48d9342fa9fccce3c3f2d402ca08e32d10ecb5c0abc44427aa854b708c84b74b0f2ef6e59fe84ba74dc4fe4

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
93KB

MD5
9dc5e972702821999ee062d9db279aa5

SHA1
9ae3f75e6e4838836f751bddcc4f59eb91296d83

SHA256
46f7bcc65371f521efa7c53e1b48a1ea78cadf793f0efb350216bda8e089b668

SHA512
a1e8a6fb45ffe5ab44b5fae318bee47dab19bc666f3d3e9f919bb6178b36ab789908c62f6b0a443ea48fc739c4d0c3e646eca4a5f95f4d564e445be1a44b496f

Download Submit
memory/432-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/432-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/508-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/508-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4688-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4688-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads