3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Size

93KB
MD5

079c6d238f67dccd53273eaed3ea9526
SHA1

730a3d06cfa2fefe9f0ca04f415feed54f5b3b2a
SHA256

3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6
SHA512

a6c9b8ae5a8aff4a0d25200fda7288b4b31348600652307944f06b7f679b23f7c26ae26cf30c78269eec21ddf7a06d3eaa017fd7d23bd961d7e44cb6799cbb38
SSDEEP

1536:IEXGFdafxnd5iIzWMpz7xyMMrND/k8aNyH6Fz6fXIIsRQXPRkRLJzeLD9N0iQGR4:IEaa5Xi12VyMeND/eE6cf4Xe/SJdEN0/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe

Executes dropped EXE 31 IoCs

pid	Process
4076	Bnbmefbg.exe
3476	Bapiabak.exe
4696	Bcoenmao.exe
3916	Chjaol32.exe
64	Cndikf32.exe
1868	Cabfga32.exe
2084	Cdabcm32.exe
4812	Cjkjpgfi.exe
2636	Cmiflbel.exe
4556	Cdcoim32.exe
3632	Cfbkeh32.exe
4296	Cnicfe32.exe
2556	Ceckcp32.exe
3804	Cdfkolkf.exe
3044	Cnkplejl.exe
1116	Chcddk32.exe
1508	Cnnlaehj.exe
1028	Cmqmma32.exe
2980	Djdmffnn.exe
2832	Dmcibama.exe
5004	Dejacond.exe
4460	Ddmaok32.exe
3680	Dobfld32.exe
2400	Delnin32.exe
228	Dhkjej32.exe
4416	Dodbbdbb.exe
5044	Deokon32.exe
4552	Dkkcge32.exe
4444	Dmjocp32.exe
5060	Dddhpjof.exe
4356	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4496	4356	WerFault.exe	116

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4076	3612	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe	83
PID 3612 wrote to memory of 4076	3612	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe	83
PID 3612 wrote to memory of 4076	3612	3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe	83
PID 4076 wrote to memory of 3476	4076	Bnbmefbg.exe	84
PID 4076 wrote to memory of 3476	4076	Bnbmefbg.exe	84
PID 4076 wrote to memory of 3476	4076	Bnbmefbg.exe	84
PID 3476 wrote to memory of 4696	3476	Bapiabak.exe	85
PID 3476 wrote to memory of 4696	3476	Bapiabak.exe	85
PID 3476 wrote to memory of 4696	3476	Bapiabak.exe	85
PID 4696 wrote to memory of 3916	4696	Bcoenmao.exe	87
PID 4696 wrote to memory of 3916	4696	Bcoenmao.exe	87
PID 4696 wrote to memory of 3916	4696	Bcoenmao.exe	87
PID 3916 wrote to memory of 64	3916	Chjaol32.exe	88
PID 3916 wrote to memory of 64	3916	Chjaol32.exe	88
PID 3916 wrote to memory of 64	3916	Chjaol32.exe	88
PID 64 wrote to memory of 1868	64	Cndikf32.exe	89
PID 64 wrote to memory of 1868	64	Cndikf32.exe	89
PID 64 wrote to memory of 1868	64	Cndikf32.exe	89
PID 1868 wrote to memory of 2084	1868	Cabfga32.exe	90
PID 1868 wrote to memory of 2084	1868	Cabfga32.exe	90
PID 1868 wrote to memory of 2084	1868	Cabfga32.exe	90
PID 2084 wrote to memory of 4812	2084	Cdabcm32.exe	91
PID 2084 wrote to memory of 4812	2084	Cdabcm32.exe	91
PID 2084 wrote to memory of 4812	2084	Cdabcm32.exe	91
PID 4812 wrote to memory of 2636	4812	Cjkjpgfi.exe	92
PID 4812 wrote to memory of 2636	4812	Cjkjpgfi.exe	92
PID 4812 wrote to memory of 2636	4812	Cjkjpgfi.exe	92
PID 2636 wrote to memory of 4556	2636	Cmiflbel.exe	93
PID 2636 wrote to memory of 4556	2636	Cmiflbel.exe	93
PID 2636 wrote to memory of 4556	2636	Cmiflbel.exe	93
PID 4556 wrote to memory of 3632	4556	Cdcoim32.exe	94
PID 4556 wrote to memory of 3632	4556	Cdcoim32.exe	94
PID 4556 wrote to memory of 3632	4556	Cdcoim32.exe	94
PID 3632 wrote to memory of 4296	3632	Cfbkeh32.exe	95
PID 3632 wrote to memory of 4296	3632	Cfbkeh32.exe	95
PID 3632 wrote to memory of 4296	3632	Cfbkeh32.exe	95
PID 4296 wrote to memory of 2556	4296	Cnicfe32.exe	96
PID 4296 wrote to memory of 2556	4296	Cnicfe32.exe	96
PID 4296 wrote to memory of 2556	4296	Cnicfe32.exe	96
PID 2556 wrote to memory of 3804	2556	Ceckcp32.exe	97
PID 2556 wrote to memory of 3804	2556	Ceckcp32.exe	97
PID 2556 wrote to memory of 3804	2556	Ceckcp32.exe	97
PID 3804 wrote to memory of 3044	3804	Cdfkolkf.exe	99
PID 3804 wrote to memory of 3044	3804	Cdfkolkf.exe	99
PID 3804 wrote to memory of 3044	3804	Cdfkolkf.exe	99
PID 3044 wrote to memory of 1116	3044	Cnkplejl.exe	100
PID 3044 wrote to memory of 1116	3044	Cnkplejl.exe	100
PID 3044 wrote to memory of 1116	3044	Cnkplejl.exe	100
PID 1116 wrote to memory of 1508	1116	Chcddk32.exe	101
PID 1116 wrote to memory of 1508	1116	Chcddk32.exe	101
PID 1116 wrote to memory of 1508	1116	Chcddk32.exe	101
PID 1508 wrote to memory of 1028	1508	Cnnlaehj.exe	103
PID 1508 wrote to memory of 1028	1508	Cnnlaehj.exe	103
PID 1508 wrote to memory of 1028	1508	Cnnlaehj.exe	103
PID 1028 wrote to memory of 2980	1028	Cmqmma32.exe	104
PID 1028 wrote to memory of 2980	1028	Cmqmma32.exe	104
PID 1028 wrote to memory of 2980	1028	Cmqmma32.exe	104
PID 2980 wrote to memory of 2832	2980	Djdmffnn.exe	105
PID 2980 wrote to memory of 2832	2980	Djdmffnn.exe	105
PID 2980 wrote to memory of 2832	2980	Djdmffnn.exe	105
PID 2832 wrote to memory of 5004	2832	Dmcibama.exe	106
PID 2832 wrote to memory of 5004	2832	Dmcibama.exe	106
PID 2832 wrote to memory of 5004	2832	Dmcibama.exe	106
PID 5004 wrote to memory of 4460	5004	Dejacond.exe	107

C:\Users\Admin\AppData\Local\Temp\3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe
"C:\Users\Admin\AppData\Local\Temp\3fffb56cdf81154fe3fbdd0a7e01a28cbff32a1e258034f65e973d74080a42f6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\Bnbmefbg.exe
  C:\Windows\system32\Bnbmefbg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\Bapiabak.exe
    C:\Windows\system32\Bapiabak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\Bcoenmao.exe
      C:\Windows\system32\Bcoenmao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 408
        33⤵
        Program crash
        
        PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4356 -ip 4356
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
93KB

MD5
a1b0aa1bba893571422f99c93ee23a71

SHA1
3b19c92a0dc0b9071efd6111eb0d8a83aa9b48bd

SHA256
2c1fdb55f30e8bf2ab34353829308f29cf53d15676e4be1f87c73be5073c2a66

SHA512
1e9eb949650fdd4075dd469e02df8ea9e13ca93a6e863941fc0982681683a75f70469e617fdc955dca93a3653358914f059dc03088e5fe6cb1b905dc127fe2fd

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
93KB

MD5
dcb2144eb98cac13488aacb368367ec0

SHA1
d3836b6b42d935d225e089bef0743de1adffbbb8

SHA256
3db669a76aa6c11d6fdda12fd4e0318d0dc5dafcf59b12bc07826abf67070a5c

SHA512
ac82e5080171342a298e70b4c7164895ae9352afd69eb5e5993d6c2ee69d327eac7e2956f5913b9d14b5511c2c8fdece0ed29a591250122092c78549c387fc14

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
93KB

MD5
7e67cedd9139932b0868d935fd122efa

SHA1
e4c49a4a83e6329e95195da3bcb2aa233fc2c5a2

SHA256
047dedf8d671fddb6901553bf17bc9a4c136c11e201b1d5eb8b676ce583276ad

SHA512
fc426e427633c510adc5b06055bdb72474160299578886ed4163d0c9363567660d4eb824519681ca01a7fc136d869603526b254d047022948851179fd481ccc7

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
93KB

MD5
81a1e0d82e1dcc216376979beab67db1

SHA1
79819a2778fcd07dfba9136459389df9b46c0c21

SHA256
e5c9baf46cebdac1247f257fda8010bd2dceb7282590b9de41b1a932186aba38

SHA512
cddf150125a9e26d32b45a49d23fad6d1eb44dfa730ba8d749df2408a7edee6e308aed433dced7f0d91fbb0804436fdeef6d87801389d1722b9432e55c332433

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
93KB

MD5
8e0b8005aa3cf2655e68b9d8e27f95d9

SHA1
1c18776a05bff40744c0c5bfe8b7667ba5c25d83

SHA256
89e30484e0eededae35b9cd242d11e68cd428b683f5b760cd8192dc7be5d5b99

SHA512
42e4a438a851e8b82bd9d29c65a0adb5830773a3bef0cd40b426b958969447d449894c400226895fb02cb3face0e4b205a2b00a9650d7c0244f0212d8407eb85

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
41e3b35d12c0447d06e4d0376223dc1b

SHA1
58970c34987fde4fc26f7038978ce3f69ed71d6c

SHA256
0b48049b7003ec54b0fe96e8fd7d8c8d50156e0e668355dcdf8ce5590f43f2c8

SHA512
9d390ed22d58cecda1952a2e1d37123c9c7668dd907b17df86fb4bf821e41c2e4189b37ac6f5b9ca6f4502506147585da6d767b6a829bdae7ef6603b79bdb494

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
93KB

MD5
be1f60b5b1792c12b2201e22d91e26d7

SHA1
73800b3469f7066b5f84979a2cfd764dc92acdc6

SHA256
e3cd848362a5066e00ec3b16ba7321972dfbfa4dd91869ad33e14f06269f42a7

SHA512
2af9dd733bb927abfa7fbbea00d8cc660e2843c24dff035a9605cfa0dd9932d2fa9253f40beb61b50fe9ed3f3b1179256eb4e8794a22d70a54f72c835c19cda4

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
bba0d388dc0ef29405b48fa26c472294

SHA1
dd26a4242b69d65b4cc9e4ac9cb214ce8a8186f4

SHA256
57016f4b2a09ac080be1f06520be59b545219569436ad82168e0b261c5db6816

SHA512
b8095bd398aefcd728f48ec1eb24c072fc427ce04e98d36a106c8638d429db342df7521ab42dc6fb9321756723e2b7ae4dbb7dd6b6734113ac74ade7bbf587a0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
93KB

MD5
75e3cb273290227620034eb498850662

SHA1
bdd4dc30aaece22658c99e4a90519aa3f5cfbe80

SHA256
1e3bc5c61622b9c888a1bdbf8410820d0b4a7f7e4bc60d224ba67fa763281b0e

SHA512
b7e38c0e5da6589d029c9d0b4577453ff49ab50808687f327db1fd0450f5924101dedd17b0af746b0d57ee7b0ce7871f046fd665e5d448ce61fcde52106e8aa2

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
93KB

MD5
6dbd1c6fb10a5ffa10c8b0169b020921

SHA1
90137db8be148d38ec0acf54b802ae6769455dd6

SHA256
1a885afe8dc82850a9e139dec9c5c2bb7a9d59406923bacf36f24ec226504a63

SHA512
697a46941916d60cfe93ff71ea477c6a17daf0b302372537e39f3a9ee6897d72c1a019cf0f83110a1aeb828dd79cfaa8fae347da027db0cfcdfe2c9cd7d487c0

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
93KB

MD5
d7ba35697513d2eb05648d9f84d880d7

SHA1
bc0f549512aed42c1ccff23f533ca681254b0570

SHA256
f083003ce0e81a16373d6ab1edf9035a5c6235b7cedaa87b5be750c4bffea3de

SHA512
1db93031a3319394d55ab2948f29f61493c37b54be0530fcae47f1ed4192154d4f38e22ec27940ea87f32041daa7f30592bb6fa90278f00f9087a3f8670dcb6b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
93KB

MD5
7d3d43e8efdcc16dbb660c03e1da43be

SHA1
ec179bc40a2ff194ef288a83890dfc8d61277d12

SHA256
15719e06b996db0a2557b02779742c0cc9401ebd88b53aa184509f3cbe0ee054

SHA512
8d75151dcf10864641310d995d93fad354c846a9554ed97512a2aad8f500aea30877e04b5f396419e1b0504b24059ee041208f59a318d1c5923f046f7095b6ac

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
93KB

MD5
9641ca98ba9112b21a4c18ec4632cf57

SHA1
86550a0c5455fd29f7036749a94abfb2f50c1fe1

SHA256
4c0c9be150de088eebbb5fd564778b8b0aa91989b635baabc2e75996183751ca

SHA512
ca1559ac3ee44227448dc6f7ca04a224e7f54b0939c87d788ae1845b4c42c6274c012ea74a862e1f4414883df61775e55707d5c785bf23acb3f94e27472525d9

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
93KB

MD5
24f80ab0e216e6cff9fb4fea85b3f795

SHA1
2102a7c9e93a7ebbb8ffcbdc24ec2bfe603baa10

SHA256
d80dfc06fe53aaf409784ead9f8529f8dece5d6d80a07876d8dc97190dc9686e

SHA512
89186152a244f37f64ab75a7bcfcc5fbcd702ca125a4a14cc368c21d682feac70f53e8d0228acbb724fba6b3cf5a6267748ec861b79ef9b147e876216403d38d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
93KB

MD5
169fb1864368c477511ac8187973dd64

SHA1
7f0017302ea04d55e057517fa3b9b16fccddc9e6

SHA256
9778d0318c6245e1fabbd3f72ecbbcd9f38dde5eb4342c56c3ff327aa2afd840

SHA512
52aa476c8182390ba1543bc633e5e9b647d6c82ccdf66a4254edd502a0cf103264f73297033f80cc4693c4afcb31733ba8e430cfbd2d6b449f3b6f089e5710e3

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
93KB

MD5
85be91dca88b35f56f46f54ea9757cdb

SHA1
3dcc8cc5d1dac2e039c4297f306e081169f8451e

SHA256
005a9207ebb5e5f5bdcbf8614c3c8d40507b28aec8abaece976e4b202d674080

SHA512
6c02d281c1dd435983a8d8a32182d1bbe5ffbb0f35ef63530f62c8e38695a029b6fcc7d4c968e6dc0ee6ec20a36daf98499251d9eadf6d10155a2c105accf143

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
93KB

MD5
d0198e87077fce1a23eae1ce68599745

SHA1
e317ed5f6a5ef61f5dc7369fee5fdd135ea2e2e5

SHA256
a9ea908cc8b5ee8e09787d54292e9e94134ed5bd703e4a9f98d900b6251182eb

SHA512
dcb26a842bf22bc86ede8ed20891d7dc10103467a4ddf60d0bb0968c2684b85de60067e758c52abe27f63b32c2704be78f9fdbde2eb9c6bbc0be4388e77854fd

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
93KB

MD5
0921f6ccdd843b6154fe3e12af00917d

SHA1
8c2955c7c8cff5a41c0da1115109d1d8c1f1f2dc

SHA256
cfbf565fd85126201015914f182948bde596c57e174968bb763ef2473bafa9b8

SHA512
529fd8ac2bfa5a8c83a8c30e97d3a44dac61ca2f5ce9a52587efaaccb6ad605d752c733ee76511a6a38cc29318438a40d5c35ecb101abd6380cc279757061613

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
4384e1e494a2ce1f60b48465511b6c49

SHA1
99ad1cf86d94326b211bd42b6c01f122cca90272

SHA256
17b467e1ff62f19f5c951facc32228b56484b8d8817ef53dc631ca822a448dcf

SHA512
f5ea87f28310a11c304235519e4cd85d6e79700f3ee60d4a7bcbb8cdd224cb6f9233dba2d8b2b7a79c6d4d64f0e5e1b10c7eeaf46ebe0b6153899f2729848706

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
64a2e07944493ba71b7bd77ef9eaee9e

SHA1
760f962c5a4dad60a0bbfc9408942ddeed5ec596

SHA256
eaf63ebd7e314b9590c1507063fec8e736dec78e9f877f920c11e634a2b06458

SHA512
cd1f8324f63ae6117b441a80c62f3390022a7b5bb1703961a6c8cc6eac0b864f099d269fb5a7973a61ad55b8b7bc9989524445db8a9311154a8b688d90db7981

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
93KB

MD5
3085caaa5e075e586d778aa83593963b

SHA1
2e743d5dd53ea892ee1db8a0c8ebb4d6ed292126

SHA256
5fa58a546a08a4cca2b82d6cc070b41357dbd7c29ae0b638dcae6a261dfafe3c

SHA512
20532d9e0d9f658b2bd65f875d0087ecb577cb82ea8108dfaef74cbf78d48f306e273115344f6afaa530abcc31c82c26affe1b40674ca3311cc68f4c1509e6e7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
984f73b1ba6695e1fac338da25f3dbfa

SHA1
a5a38dce5ddd43adbf67ecd25c09416019ad61ae

SHA256
e42b983ef141f756adf14db45ab2651be9fd588cb9997f05289c0f37fc0e31c2

SHA512
4933fa26d1a71d638fbfa362526d4307de13615b2351abe047dc8ae44f5c088cd5c55a01f816a0dedfdf63e695fc65efb24d81d4d2f502b0296b2e0eaed59c6f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
c1a388291fdd22b81b8ee74c09491822

SHA1
fea894cc610d143002b4bea4ff9f2df69234d7f8

SHA256
0fabd81b788749add12c86c4514176a9f2d6db209ee829bff202f1d0e0ce9760

SHA512
cc74b3436f3bc71bf218e3a5b7bf93082773ead70ad9937db4d93072fef4dac29e41fa13824b924cfa9cbefe5ce2883318867d5892b549c45da29f3cca2f07d7

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
b66d9345ee71c492ea0fc83b8cb09415

SHA1
08d7516741504c367577839023d432c7e3fd2a5c

SHA256
c31c526806594e3701d7b30de372867dd4d3b5eb9b841fd88c3d198cac4e7170

SHA512
5303a5a31ad1a0a52587be5d4e7e5f02e8fb9dd9cf79160966d14ecca8925be6cff5caeb23800b5c2fd6c81d7f2e89a8ae9b8882f979daad5a4bfc5a08bb884f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
93KB

MD5
6b0785c27562aeeb8112806bd40304c7

SHA1
423cea9b8fa829c9ece115c561091f77bdcfb9fe

SHA256
0caa17a66fbee35108f6845a87eb46f50b8263fb6e97267678644b18accf16a4

SHA512
f7a9995a7e0ae60183c03964eeab93e12fa32634f993f3a2e35d21bd82e9665bb4fad5c10166f5240c2d4895af24489e51b7d7feb25ffefe40b72db19662a571

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
93KB

MD5
0afaf4b2c0ecefffd27e17390e37bf0f

SHA1
666ff65ec995add5a9cc4a3d7932b54b74f3be85

SHA256
d3dd13c89f1e9007e0777cd73a6ae3544fd9976626326d3c284870bac33607b7

SHA512
99b665e48507eb821b8230467cc95e29e47307e2bf6888d42ce47a607c0e58b582451c78d642bee9baf173aaa8acc2bdc101c78d9a150a0352fe0f850dbd60ab

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
fb2deb86def0a32edefc94a1c644d704

SHA1
93babfc6c92de7961fc44b9d5ca673689484c5b3

SHA256
e58ee78be270acccd2f74eda23d533c54c44dbec6aca01d037dd89c4efe553e4

SHA512
627d577988fc5c1861fa949de07c66c4e1a0c0cff5581123b14132ade97e8ace3a4dda5feb4ba793d8b29a30a798f181b65eec92db255d6cc0c0e1c795e25bb4

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
6c34d7fb3388fb3193b19bc1771fa099

SHA1
0b48afa2d89d22e20e7f2ab10a091083281240b8

SHA256
0c6fc63939bbf08addcdd4b24d3e2c2799c62c554b25d47f3855fab9a0713cc9

SHA512
346f4cd2c86254488c7f282a124e04400d024a2e2cb8506ee05b37d8b41c075b1f87fb2fe11353aebc451bf804702bce7d9f0cf156c35efa53417c157ce095fb

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
ac03e3b2c25df71d647d5ff15b9d3e59

SHA1
b21e23862afbb6972fce1f32c56edce7ed9167d6

SHA256
a5bf9d19197e87224ac010daf403f494127b7ba258d40ccd1ef47a57a2cbe976

SHA512
d454bfb9a56ca1325b016bd0c21614b8c9068db4b156f4e2b4d21d1458e74f9d31544133dd8055212f29ea03d5a4dd1356c5929bac0ebf28b938612bef6ce84d

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
93KB

MD5
9023958a4e2a75f916739f343f1c42af

SHA1
e3b1182bd1dc668f9261e2d9ae64e62c213aba1d

SHA256
b53b41f4baadd1a0b892d62228e4d314e509747f68742f254147e07791e8ad9f

SHA512
08a1cdc212e5ae04a023ba706ed1e3b540fdf7fca673eacd0eed5e15e188860cfd51d07f92bad520f0c25bc433240caa5430d4b2390310b6ec5e7363e0a85375

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
5a59707d5feb213cdfbf27f23504a1d6

SHA1
efee8f5b819313669e9bf448fcd55de04158fcbd

SHA256
306501f7b5fa0623589a370deff8d718bba15b2bbc5403367baf45295daa9380

SHA512
db52eaf4c528d39fa8d0b5a7405493bd91b2c89255e5c3f6517aa351028d917bd3471c4e189420cc277c6e1ab9f646007ffce68d621eded7a0fe9526b0a49ab9

Download Submit
C:\Windows\SysWOW64\Fqjamcpe.dll

Filesize
7KB

MD5
09a2b5c433bf5d601448122277621edf

SHA1
4f8f847883cb4bc9f8f03c44557efdcc01a7dd4a

SHA256
f144e6973e790e5c9c2fd3e61d0d861b8f3f1f5df4d422debfe902e85d6d7944

SHA512
22a54d9b86b9082da2024019cbf6d106a61285e45a4ceaac52acf728fc8b027e00247f60a56c164fdbb93825b6e05c1cff147c5852002a162472b568cf7a78ab

Download Submit
memory/64-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads