e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
Size

186KB
MD5

7ccca3632d14bddc9e51e53e8e19ed51
SHA1

128cadb0f6c5975ebf24742e91147f1a0279e5e0
SHA256

e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c
SHA512

1b9056450dc3dfd51a7221d0debad0450f2ce27e96ac084eafc9cd4744fe53e81a0953de42e198c7813f1595720ac2a9e78594269b0ac95269d1a5ed805ae224
SSDEEP

3072:fbI5+jBrC35Fv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:Ds+NW5F+Jk/4AcgHuv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe

Executes dropped EXE 52 IoCs

pid	Process
4796	Ajckij32.exe
1472	Aeiofcji.exe
3936	Afjlnk32.exe
3652	Anadoi32.exe
4656	Aeklkchg.exe
320	Agjhgngj.exe
3924	Amgapeea.exe
436	Aeniabfd.exe
1916	Aglemn32.exe
3592	Aminee32.exe
3996	Aepefb32.exe
2036	Bjmnoi32.exe
2776	Bmkjkd32.exe
2848	Bganhm32.exe
1160	Bjokdipf.exe
3512	Beeoaapl.exe
1756	Bffkij32.exe
1012	Balpgb32.exe
4748	Bgehcmmm.exe
3956	Bmbplc32.exe
3988	Bclhhnca.exe
1452	Bmemac32.exe
2432	Bcoenmao.exe
2732	Cndikf32.exe
2164	Cenahpha.exe
3224	Cjkjpgfi.exe
3984	Caebma32.exe
3640	Chokikeb.exe
3628	Cnicfe32.exe
3552	Cdfkolkf.exe
4564	Cmnpgb32.exe
5064	Chcddk32.exe
1216	Cmqmma32.exe
3772	Ddjejl32.exe
2784	Djdmffnn.exe
3748	Dmcibama.exe
4048	Dejacond.exe
4556	Ddmaok32.exe
4224	Djgjlelk.exe
1744	Dmefhako.exe
1856	Delnin32.exe
4668	Dfnjafap.exe
3416	Dodbbdbb.exe
2736	Daconoae.exe
1564	Ddakjkqi.exe
2580	Dfpgffpm.exe
3404	Dkkcge32.exe
1956	Dmjocp32.exe
4608	Deagdn32.exe
3204	Dhocqigp.exe
548	Dknpmdfc.exe
3028	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3784	3028	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4796	2108	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe	82
PID 2108 wrote to memory of 4796	2108	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe	82
PID 2108 wrote to memory of 4796	2108	e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe	82
PID 4796 wrote to memory of 1472	4796	Ajckij32.exe	83
PID 4796 wrote to memory of 1472	4796	Ajckij32.exe	83
PID 4796 wrote to memory of 1472	4796	Ajckij32.exe	83
PID 1472 wrote to memory of 3936	1472	Aeiofcji.exe	84
PID 1472 wrote to memory of 3936	1472	Aeiofcji.exe	84
PID 1472 wrote to memory of 3936	1472	Aeiofcji.exe	84
PID 3936 wrote to memory of 3652	3936	Afjlnk32.exe	85
PID 3936 wrote to memory of 3652	3936	Afjlnk32.exe	85
PID 3936 wrote to memory of 3652	3936	Afjlnk32.exe	85
PID 3652 wrote to memory of 4656	3652	Anadoi32.exe	86
PID 3652 wrote to memory of 4656	3652	Anadoi32.exe	86
PID 3652 wrote to memory of 4656	3652	Anadoi32.exe	86
PID 4656 wrote to memory of 320	4656	Aeklkchg.exe	87
PID 4656 wrote to memory of 320	4656	Aeklkchg.exe	87
PID 4656 wrote to memory of 320	4656	Aeklkchg.exe	87
PID 320 wrote to memory of 3924	320	Agjhgngj.exe	88
PID 320 wrote to memory of 3924	320	Agjhgngj.exe	88
PID 320 wrote to memory of 3924	320	Agjhgngj.exe	88
PID 3924 wrote to memory of 436	3924	Amgapeea.exe	90
PID 3924 wrote to memory of 436	3924	Amgapeea.exe	90
PID 3924 wrote to memory of 436	3924	Amgapeea.exe	90
PID 436 wrote to memory of 1916	436	Aeniabfd.exe	91
PID 436 wrote to memory of 1916	436	Aeniabfd.exe	91
PID 436 wrote to memory of 1916	436	Aeniabfd.exe	91
PID 1916 wrote to memory of 3592	1916	Aglemn32.exe	92
PID 1916 wrote to memory of 3592	1916	Aglemn32.exe	92
PID 1916 wrote to memory of 3592	1916	Aglemn32.exe	92
PID 3592 wrote to memory of 3996	3592	Aminee32.exe	94
PID 3592 wrote to memory of 3996	3592	Aminee32.exe	94
PID 3592 wrote to memory of 3996	3592	Aminee32.exe	94
PID 3996 wrote to memory of 2036	3996	Aepefb32.exe	95
PID 3996 wrote to memory of 2036	3996	Aepefb32.exe	95
PID 3996 wrote to memory of 2036	3996	Aepefb32.exe	95
PID 2036 wrote to memory of 2776	2036	Bjmnoi32.exe	96
PID 2036 wrote to memory of 2776	2036	Bjmnoi32.exe	96
PID 2036 wrote to memory of 2776	2036	Bjmnoi32.exe	96
PID 2776 wrote to memory of 2848	2776	Bmkjkd32.exe	97
PID 2776 wrote to memory of 2848	2776	Bmkjkd32.exe	97
PID 2776 wrote to memory of 2848	2776	Bmkjkd32.exe	97
PID 2848 wrote to memory of 1160	2848	Bganhm32.exe	99
PID 2848 wrote to memory of 1160	2848	Bganhm32.exe	99
PID 2848 wrote to memory of 1160	2848	Bganhm32.exe	99
PID 1160 wrote to memory of 3512	1160	Bjokdipf.exe	100
PID 1160 wrote to memory of 3512	1160	Bjokdipf.exe	100
PID 1160 wrote to memory of 3512	1160	Bjokdipf.exe	100
PID 3512 wrote to memory of 1756	3512	Beeoaapl.exe	101
PID 3512 wrote to memory of 1756	3512	Beeoaapl.exe	101
PID 3512 wrote to memory of 1756	3512	Beeoaapl.exe	101
PID 1756 wrote to memory of 1012	1756	Bffkij32.exe	102
PID 1756 wrote to memory of 1012	1756	Bffkij32.exe	102
PID 1756 wrote to memory of 1012	1756	Bffkij32.exe	102
PID 1012 wrote to memory of 4748	1012	Balpgb32.exe	103
PID 1012 wrote to memory of 4748	1012	Balpgb32.exe	103
PID 1012 wrote to memory of 4748	1012	Balpgb32.exe	103
PID 4748 wrote to memory of 3956	4748	Bgehcmmm.exe	104
PID 4748 wrote to memory of 3956	4748	Bgehcmmm.exe	104
PID 4748 wrote to memory of 3956	4748	Bgehcmmm.exe	104
PID 3956 wrote to memory of 3988	3956	Bmbplc32.exe	105
PID 3956 wrote to memory of 3988	3956	Bmbplc32.exe	105
PID 3956 wrote to memory of 3988	3956	Bmbplc32.exe	105
PID 3988 wrote to memory of 1452	3988	Bclhhnca.exe	106

C:\Users\Admin\AppData\Local\Temp\e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe
"C:\Users\Admin\AppData\Local\Temp\e8ae58c9fefff98bdb3c613b95d94c1c7d7e64afb3d1ce28ded38f4f294dc89c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\Ajckij32.exe
  C:\Windows\system32\Ajckij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\Aeiofcji.exe
    C:\Windows\system32\Aeiofcji.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\Afjlnk32.exe
      C:\Windows\system32\Afjlnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        53⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 396
        54⤵
        Program crash
        
        PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3028 -ip 3028
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
186KB

MD5
fe8bb3ebc54c19f8d17dd7a72d2a58a9

SHA1
1a02c8da09bffe8cbb4043dea0174d4874c1b5ac

SHA256
8fd773910ea41e1583940c96e1f75d24dfd0e6aed6c9038d4cafab53ef76ed78

SHA512
43c5b6879d8d8b8023433d108d9c074d6ed3bb2bd26b78e78016035080c1fd319aff78fb86001a1d8ba747d4c44bb5c61264c33abe42f44b245a8dfa8946e26e

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
186KB

MD5
b36b0d118f634f05895365a394ce4f76

SHA1
80e8cbe64fbc08f93df559400755cd55160c13b4

SHA256
ad07195502f1fba326ecee8aafbf720378308deb0b3fd547ed941db024eb9ea1

SHA512
8ab7ecfaeb408403751a400a1fafc898fb1685f7bc1276196a1332b610ad5fa047853d0c94afd1123cd8da89e88d1eec3ef818c323ee41ed57694aa67a87a09b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
186KB

MD5
a9f9448421a985bb812eda13c243cf2c

SHA1
81df87e215bfc5abba41168e1fe68d415876628c

SHA256
530aaf872b350ef64ff3642a96a218792a1e454a50ed0a592c0e19479aa7f755

SHA512
403ae4420ce52ade67fb3e0bded269f4f3ba73020e93ff46a532938151a74d9d5f517972a68d34dc2f36ca6a56f4c5fb3e3fbfd4d4bd67cb572f81b8ac0c9ab9

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
186KB

MD5
117f9830b2f540b183ef197f82ff718a

SHA1
bc3ce79e300599970855b811753b89f48221e153

SHA256
e89a6a078a29e7fe74e66289a0c280ab2bd1a571329a76decad900c684e32c5a

SHA512
8c03efa6790d36ff9cedad6a91dd39fb9acd4ccf051ae42c5845689b98d6295a2dce316a705852a9ed202c442a2bc57d93507f20caddaea0daca2a7bacd3ee27

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
186KB

MD5
cf2590196d271840cd5cd8c2b84cc267

SHA1
1771029aeadecb0d55ebe110cad508900c2139e2

SHA256
86eb9bed72c954365f345b3f1d63a22f09e04e64876daad8e1514133acb4f433

SHA512
ecbd512bcf12510aa2b3e3000413547756fbbfcc536547ff7f69f10e82608a2ac5935a197bfa5b63f840d7cbfbed57ce86500a5613753a6cc9c92baacf5fe467

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
186KB

MD5
3fd1d7f85e553cd0dce695351d14859e

SHA1
ae54b2dd4ded8f89813b12294d0769cf218f548d

SHA256
51b8cbaa6947339cb29fa3336f66f668b8b776e5772eeb5f5cce4262c7dc7e56

SHA512
dd59e44d39752c15b1fe9d9fa6338f4b2269772a8441b7d69ee8985ad3f8bc16a19e2b5450cee5effa3494bf1be9a4e8e573f56f9637a525d2af9e9664eabe4b

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
186KB

MD5
b230a7e8b72ee317e7941fcdadba640d

SHA1
28f8ff6f18235bae3a76fb51aac7face04867d0b

SHA256
622a97f84136b830eea32e21f086d6a7e08766f195c41991bb449accdb42f8d7

SHA512
805444d4a61d5786da347b64d24d97f42bcf1ebefcd23f04c978589b4ae5a4f426a1cacaaa28cf44a18fd0f38257f3ce48ebdc474c26a7d70254da965786c3b0

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
186KB

MD5
20f023e0873db3ca9492fda0848c4041

SHA1
4512d5261eb7c02630367507361b3bdf77f085a2

SHA256
831eebadf61e1714a1df3c021d67caf9100d12ec81076e2904157f1b76a724a4

SHA512
b1fb3b0546f706b00c5734062bfba07025d18631dd506ce4c66d119ab86d531c2c5e1172f1183b53dff089e8aebc838d9782d611f0fa9a36cf06b5b648cc6d4f

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
186KB

MD5
67134cdbe81397447f2a30cabd84ea63

SHA1
bf13ba33d601955c56a8cfba455c3104dd717a14

SHA256
9aba32cdcd496df4b7918176f2e956557819d56a633bdc715dfc5629862ac4d5

SHA512
8e27393aa41425cf7c4cffb4b14b7b8d32df0817ae2ed99b8578a52d79cf7002d24de6fad4c106101e371304810905883db7d58ed114cf6657accbd2ff50aaba

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
186KB

MD5
5d0344d2dce30514270bda352d24b4ea

SHA1
9dcf3d8e2c65d3521b7a1cfaee9392e817c54d8b

SHA256
663a2983c02a400af9e6a5f2430e2e0a60bb94c5b2e287738496faf459182b06

SHA512
b4fe52011f93bbb48673d3b600c88960cf172c17c11ca26a4b02d499d4918cbcdb1cc51df554666205c55f7576745867b9f8a702b58bb5ad7bd0d57a805f5362

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
186KB

MD5
380d8489d1c42ac2b53c0d95c3a0ee43

SHA1
cb25750056fee6885d3ff714713bd5f83c5e553a

SHA256
932181c0b68c74032ae53f281df13d0f1960477795c85c78522665fc36e2c5ee

SHA512
a1fab5220189b8b8f857632fa06570a797c203c40f0f2a44ad86eb59fa1e1e94e97554562c5b35b69db0dd682d5ef3fc9464509036c9a75f8bf25f33186421fd

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
186KB

MD5
5620e6f8824d3ba6860541fd6dc7c619

SHA1
3974aefbb5b2eb97e82f777f31b1d575d22df41b

SHA256
90cca15a9412ee005ff6afb46953c0a4a50e1b9a0bd74a1a40433b81b87a02c9

SHA512
28824b0a6095206e524c9e81b04b7dfa28e527df6dda88e6cae4cff847907790fa99b928d142c52cd2192b2052c1b512fc4027e9e227549f839834c9176bb226

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
186KB

MD5
f0c7472f00df6fe8959fc810cfdff089

SHA1
416246ab19886cfb5b613a46361a550acdd4453e

SHA256
671826acaa142d045037527bff881453daab4b7def82efe22bc06e2c4dd7d9a9

SHA512
8794a79f16ee49a2c79ad376d31c59e15853dcd7edd8b37be92bb998e3bd00e065c18dba3d6e7eeac133d38d95ff1df8dd9701f22e4570423c29c0ce9751b66b

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
186KB

MD5
eca38492c184c3582951388f8f911f6d

SHA1
668f6067d21719f012f65bc60eb6745209c6a026

SHA256
516a3078adc65509bc46f336754814dbf26b24264b2f5024f7209cc2228b38db

SHA512
5574160ed20c5fb1a8dbd728659bac94c1849ce478d1d6ee54b585aa591dc2fd356fd0985d218f8e40bdbaa5aad4c42549f13d1d1aeea732f5958d77d6d27134

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
186KB

MD5
f5e8ced6f52fa69f7c069d883a3f510d

SHA1
af40f19e562abed63fca7391de62dec88cc3a68d

SHA256
5b54ab17cdfdeecfd5fddb25a7c5e150936f2c9c236ec78bc07884e7b4d89ad9

SHA512
3e500f3f4dfded30731ebc86d20ba39f662cbfb95e5f8cee40d157a76b297c7513cfb0a4a722cc49d7ae8d0d80f0534a61460321f229e40ff29280686055d195

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
186KB

MD5
4fe26c6312ec827af65e73581a18cae5

SHA1
f78dbc69bec8b5c37b6147604fdbe8a97dc6ebb9

SHA256
9472cdb197e48b30ab85cb7f5fda55e5458570873302998423e1556febdda14e

SHA512
192eedb10ff61bcdd91062c04b376f7f1beefed47ae01f030a729f65025492f8d2fd8e2c9e5e3a5df4a490bcfcfe9dde68c15664e36859bbd275883e8cccae42

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
186KB

MD5
2d8301a8b1d86a133750b0a9cd2474c8

SHA1
23e0695c4522cc484c7f01884a9d877851cc0472

SHA256
bb188e79744a5025dbb29ba08b8bd5cc1a3f1591cb2362af94c5e01efdf6171e

SHA512
03bea0d0cc255eb697ef6a36c3dfb5dfa6c858afb1eb6973752b7797f35fbf71721ccd54dd86b80ee43b6b303cca97e983df21a04b7e9e9fb7877bb03e6c84b9

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
186KB

MD5
9a37c684090eeac47414bcfd2a59c92d

SHA1
3910127557fdd1f9adf672dda087b4f74ab162c3

SHA256
84dbf8039fe5f60c5ed94992acadac6df5990690546a5f68d8bc4d66d6418c41

SHA512
e2fe14745b51c41c51aec7d26baca57654786bf68d0435d4e81d8525ddceeea42c3769028f2ef0b27c49a2185baef7463a002cbb4d6105a4ce3725cbeb25f8e3

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
186KB

MD5
37f0fbd4a95b5997d59e5efbb407fe42

SHA1
4ff1bbc53ec75e736882717394d388f8a86bf902

SHA256
1dd66b2e8973c634bd51a7d4dcc7abab2b4b2c13dbf1ac231b9a55438a792c5b

SHA512
cdc3aeadbcd1a34f3705c06a8a5683d8c557d7abeebe2ea4c45788d47d6206831f9725ee3ba1ba3a58a97e42bdf0777d70bc0b74a034de3ecb15ccf72fe2689e

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
186KB

MD5
990307e262d3b7478a23a01948bc3c3a

SHA1
ddd8b549f7eeb74720941fe75bd6e681f6bab191

SHA256
ce9fc1aeb71037aee5741eafc3a290a442ad6b357d0f1408e804a2bbab7dbef0

SHA512
15533677dbc865dd216f274d026cc273b18abf6ea8389fafe7d58b935d86e78664e231ab3ca511c87f5543ffb8e08309ede396f0458bf52f2acce20338b78798

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
186KB

MD5
6659e6fa4e4d4c1719be9f7948484d75

SHA1
246d93268ee203af4011d5b1b4d92e303901122b

SHA256
7568aac62b4bef5156e343626e10dc3325b0a68b4c547f68fe1a2167b96c3f9b

SHA512
01d237397ea4de6fb4ba4d21f4eea7c7232cab6feac9cd41ce5e1cee4ff11009a84e6c761f8df21cb76c7e41ca5360c6d21de9496277171fb1bfdd6126b51bb2

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
186KB

MD5
bb9e462670b748734c3ac9278dfd9023

SHA1
bf74d6659818a315d91164a7725f4f54fa8ba2e4

SHA256
9e6a0f16d0708fb6cebc2f3a2c6e9f7bd95a06edb4cd490c128d6e2bfa8cbe7b

SHA512
5263ee13c14802624e670b9070f6a4109eb23fdeab7d4d255373e2094b23557bc5c8b39b8b22425b2537761465c96411d9887cfa6883563f500a059239f34f35

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
186KB

MD5
bbeaa95f59a308e5170da5ca8a90a19e

SHA1
346937055f4dbc94457c40daf0fb48f6e8a64031

SHA256
4ec8838866b429cce1969983b8d54447aca84604c5b384c25288001e5f7dfa87

SHA512
b42273362a88540d2152d232917f67dc05ed96641e564bcf54fd493fa40e2acabad62de15e3445f54db76d9dec718bf34ead8d3dc18fe3717dcefda08924ed12

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
186KB

MD5
73a45b514125e52f04cb01ab15766716

SHA1
a6295a5bf3d65983184edffd75815dfd5c825055

SHA256
ef318e8c790a68f419572e19b49df0b2d8b2da03f458870e0349bd7f40fa3fab

SHA512
ff3e0b80d971ef079e05f44c61f30d230351bf7da403898321778e7bbf8ed1a2fcdd452646a377fbb095fbd69df2c20da392f1fca984a3b8bf0e440730bef27b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
186KB

MD5
ad79057aa93ddbf9586bd23eb9e8504b

SHA1
c532086535952459def08404276a3d571fd77eab

SHA256
f7e3b07b6a9aa4e7c40573b82e05f16bbd71be6ea3195d1d8515397e58a04956

SHA512
c1103ea681b679280a0fc949ecac2869d33e0bcc68a7864be4bf2a0b6c2683721fbc85814f708612ba7f8bc44e2d4cf12910df385b2fca03e61a39d92fe86b2d

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
186KB

MD5
9758fdd2f17a0adc9bf61af8e3864576

SHA1
9a4bf4816dce5187ae0a1571435dfb9ba599f349

SHA256
026412fd69756ab70bb6b1f1d96482335bcc006f0e636634b4f7ac538b422f13

SHA512
695f9014a44c10eb1410131e4572e5924ee40dd78322b9c402ca8a3e16080a9679db3814c74f935d939718fafbb59368c2eb3ceffebb07c81dd8b7c892a37afa

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
186KB

MD5
b6c693c234e471f76d32d8ed20262c94

SHA1
50d4ed43dfcf96a2fa4bb598445409a6853cf861

SHA256
3a5a799c902eaa196eba57b51b2645d33aa380701366d6bba1260bcf237b56da

SHA512
68c8c4e786953a182f2fef13ae8e41906719c44df590f02b9eb5ef2c8df4d14dd37fda7dca48d2870014f99485138b28db705af6961242427a246b51835474ab

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
186KB

MD5
ac7701430562ddf14d392eb7e7665e58

SHA1
d64c5ae38233c846d6642b3a9cb421cc0da5631f

SHA256
3d57358c6bf43433f821ed3f11c4f9b189cae0efc84dd2b11094de39fb92d43e

SHA512
8d9472d3b2c798d72d54c3c945a80ebe7837ff478abd7025c7553223ea7d2c203a242d5ff89fa986023f6bdbd9cc807698523e555458c51beb49f5c42c8c4dbe

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
186KB

MD5
9644f63a184c0ac3848b7c3ba82f4e86

SHA1
cda6f1c12e79ce40fafd87c2f997154f6eb60d73

SHA256
87ffa71d0a0016074f802da9064fdb8aff4efb858f76cf176406ac8d130649ea

SHA512
4f6910167ca8711f5561d6c61c1c261ab6702e0d33e27e9446154ac1158f8ab74f32df50887c46587522bedeacb185ae34efa31965346afbd21d3412f775f058

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
186KB

MD5
4d7c91ddaa9a7784f7e9d36fd209e95b

SHA1
bf3169348c03eec00d73eb19741efad43aca0006

SHA256
52c8acaef48e95708bd56008906a5c3d29daaef56f80b81c4e23ad083aa03337

SHA512
fa6e3555a02143b94d8f1ec241ec97482f6c1b65527b65e1fb2a86ae903c93721ea53529de22b6b242b16c5938c5224b6f3cd3d0d8501e1ae713496fb5071204

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
186KB

MD5
99ed77e4f87ea28999ea318209ba3016

SHA1
0e17888a02e8fe1730c1f0354ddd7a197e346893

SHA256
fecdeaec48dd93d95b1bcb72a49dc9dcd7858086321fe76a6ccf32ee259698fa

SHA512
baeb08981dedfce9b866a658e3462037030128f2a255f32a4061cc515789bab2e02e2dc0d323e9ec40ad44c52b70c6e543ae257242fb0170c0aeb5db15d4b4bf

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
186KB

MD5
6a2fb56ba38464b5a561c4022d59f83a

SHA1
9b3182f3cdad6eb06d77b9028a056c8c1135ad7b

SHA256
6cfd389daf2626dba43a486cf121ab9d34f5abab45e4f5c0815d6834464889bc

SHA512
62a32e59b172a6cf883e42b33a777ba07d96fb1042f1d8c27d80579ced06e8492345d200da3ca45c001a3fd568df793ba159386b10d489010e93ee3d674153c1

Download Submit
memory/320-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2164-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads