600a1eda6c4da4ccaf30f75bca51107fe4d9c6868936aa8fd33f830da3c4343e

Analysis

max time kernel
94s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59acc4a2ef57533aa68894612a17ea20N.exe
Size

59KB
MD5

59acc4a2ef57533aa68894612a17ea20
SHA1

2e8a2ad2ff3983c77a9775df5d3f7d345c96198b
SHA256

600a1eda6c4da4ccaf30f75bca51107fe4d9c6868936aa8fd33f830da3c4343e
SHA512

e695366ee4a2aaa79d61226ecfe1c3a4ea85c225b8f7fd4d9cc34dde67b9988b4fe400147eb12d82779993a6402e96786f0bcf47ddd3f3b2766dabd99de2e0db
SSDEEP

768:XsDBZTArJDGUHjfB5OZCAPIbo9cTvGIyUJE732kL6KwtQJzgIwLE1g/1H5swXdnh:XVrUUDfmZCAPIr6If/gVENLE16aCh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	59acc4a2ef57533aa68894612a17ea20N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe

Executes dropped EXE 40 IoCs

pid	Process
4568	Qgqeappe.exe
1556	Qmmnjfnl.exe
4468	Qddfkd32.exe
2636	Qgcbgo32.exe
3384	Ampkof32.exe
3604	Afhohlbj.exe
4704	Ambgef32.exe
3696	Aclpap32.exe
3968	Anadoi32.exe
1584	Acnlgp32.exe
3276	Ajhddjfn.exe
1260	Aabmqd32.exe
3848	Afoeiklb.exe
3492	Aminee32.exe
3116	Aepefb32.exe
4324	Bjmnoi32.exe
1080	Bagflcje.exe
2880	Bfdodjhm.exe
4640	Baicac32.exe
4972	Bgcknmop.exe
3524	Bmpcfdmg.exe
4016	Bgehcmmm.exe
3684	Bmbplc32.exe
5012	Bhhdil32.exe
1100	Bjfaeh32.exe
4460	Cndikf32.exe
1600	Cnffqf32.exe
652	Cjmgfgdf.exe
4988	Ceehho32.exe
2392	Dhfajjoj.exe
5088	Dopigd32.exe
4208	Dejacond.exe
3372	Dmefhako.exe
4944	Delnin32.exe
2748	Dkifae32.exe
412	Daconoae.exe
3268	Ddakjkqi.exe
1448	Dmjocp32.exe
1084	Dhocqigp.exe
924	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	59acc4a2ef57533aa68894612a17ea20N.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	59acc4a2ef57533aa68894612a17ea20N.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjmgfgdf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	924	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	59acc4a2ef57533aa68894612a17ea20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	59acc4a2ef57533aa68894612a17ea20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	59acc4a2ef57533aa68894612a17ea20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	59acc4a2ef57533aa68894612a17ea20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	59acc4a2ef57533aa68894612a17ea20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4568	4056	59acc4a2ef57533aa68894612a17ea20N.exe	84
PID 4056 wrote to memory of 4568	4056	59acc4a2ef57533aa68894612a17ea20N.exe	84
PID 4056 wrote to memory of 4568	4056	59acc4a2ef57533aa68894612a17ea20N.exe	84
PID 4568 wrote to memory of 1556	4568	Qgqeappe.exe	85
PID 4568 wrote to memory of 1556	4568	Qgqeappe.exe	85
PID 4568 wrote to memory of 1556	4568	Qgqeappe.exe	85
PID 1556 wrote to memory of 4468	1556	Qmmnjfnl.exe	86
PID 1556 wrote to memory of 4468	1556	Qmmnjfnl.exe	86
PID 1556 wrote to memory of 4468	1556	Qmmnjfnl.exe	86
PID 4468 wrote to memory of 2636	4468	Qddfkd32.exe	87
PID 4468 wrote to memory of 2636	4468	Qddfkd32.exe	87
PID 4468 wrote to memory of 2636	4468	Qddfkd32.exe	87
PID 2636 wrote to memory of 3384	2636	Qgcbgo32.exe	88
PID 2636 wrote to memory of 3384	2636	Qgcbgo32.exe	88
PID 2636 wrote to memory of 3384	2636	Qgcbgo32.exe	88
PID 3384 wrote to memory of 3604	3384	Ampkof32.exe	89
PID 3384 wrote to memory of 3604	3384	Ampkof32.exe	89
PID 3384 wrote to memory of 3604	3384	Ampkof32.exe	89
PID 3604 wrote to memory of 4704	3604	Afhohlbj.exe	90
PID 3604 wrote to memory of 4704	3604	Afhohlbj.exe	90
PID 3604 wrote to memory of 4704	3604	Afhohlbj.exe	90
PID 4704 wrote to memory of 3696	4704	Ambgef32.exe	91
PID 4704 wrote to memory of 3696	4704	Ambgef32.exe	91
PID 4704 wrote to memory of 3696	4704	Ambgef32.exe	91
PID 3696 wrote to memory of 3968	3696	Aclpap32.exe	93
PID 3696 wrote to memory of 3968	3696	Aclpap32.exe	93
PID 3696 wrote to memory of 3968	3696	Aclpap32.exe	93
PID 3968 wrote to memory of 1584	3968	Anadoi32.exe	94
PID 3968 wrote to memory of 1584	3968	Anadoi32.exe	94
PID 3968 wrote to memory of 1584	3968	Anadoi32.exe	94
PID 1584 wrote to memory of 3276	1584	Acnlgp32.exe	95
PID 1584 wrote to memory of 3276	1584	Acnlgp32.exe	95
PID 1584 wrote to memory of 3276	1584	Acnlgp32.exe	95
PID 3276 wrote to memory of 1260	3276	Ajhddjfn.exe	96
PID 3276 wrote to memory of 1260	3276	Ajhddjfn.exe	96
PID 3276 wrote to memory of 1260	3276	Ajhddjfn.exe	96
PID 1260 wrote to memory of 3848	1260	Aabmqd32.exe	97
PID 1260 wrote to memory of 3848	1260	Aabmqd32.exe	97
PID 1260 wrote to memory of 3848	1260	Aabmqd32.exe	97
PID 3848 wrote to memory of 3492	3848	Afoeiklb.exe	99
PID 3848 wrote to memory of 3492	3848	Afoeiklb.exe	99
PID 3848 wrote to memory of 3492	3848	Afoeiklb.exe	99
PID 3492 wrote to memory of 3116	3492	Aminee32.exe	100
PID 3492 wrote to memory of 3116	3492	Aminee32.exe	100
PID 3492 wrote to memory of 3116	3492	Aminee32.exe	100
PID 3116 wrote to memory of 4324	3116	Aepefb32.exe	101
PID 3116 wrote to memory of 4324	3116	Aepefb32.exe	101
PID 3116 wrote to memory of 4324	3116	Aepefb32.exe	101
PID 4324 wrote to memory of 1080	4324	Bjmnoi32.exe	102
PID 4324 wrote to memory of 1080	4324	Bjmnoi32.exe	102
PID 4324 wrote to memory of 1080	4324	Bjmnoi32.exe	102
PID 1080 wrote to memory of 2880	1080	Bagflcje.exe	104
PID 1080 wrote to memory of 2880	1080	Bagflcje.exe	104
PID 1080 wrote to memory of 2880	1080	Bagflcje.exe	104
PID 2880 wrote to memory of 4640	2880	Bfdodjhm.exe	105
PID 2880 wrote to memory of 4640	2880	Bfdodjhm.exe	105
PID 2880 wrote to memory of 4640	2880	Bfdodjhm.exe	105
PID 4640 wrote to memory of 4972	4640	Baicac32.exe	106
PID 4640 wrote to memory of 4972	4640	Baicac32.exe	106
PID 4640 wrote to memory of 4972	4640	Baicac32.exe	106
PID 4972 wrote to memory of 3524	4972	Bgcknmop.exe	107
PID 4972 wrote to memory of 3524	4972	Bgcknmop.exe	107
PID 4972 wrote to memory of 3524	4972	Bgcknmop.exe	107
PID 3524 wrote to memory of 4016	3524	Bmpcfdmg.exe	108

C:\Users\Admin\AppData\Local\Temp\59acc4a2ef57533aa68894612a17ea20N.exe
"C:\Users\Admin\AppData\Local\Temp\59acc4a2ef57533aa68894612a17ea20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\Qgqeappe.exe
  C:\Windows\system32\Qgqeappe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 396
        42⤵
        Program crash
        
        PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 924 -ip 924
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
59KB

MD5
3d300a2cae5281717d1de191daee4257

SHA1
1520bc50d089badd63f71c59c53568f9894559c2

SHA256
b40fc7c4ef53f78ded07626bfa4299322279edc37a2ecaf791be69dcd27f3eab

SHA512
a3a9a2df88e8d67a1a13319ce8dabbc209b5694463ef9dd13047a570a017cf2fb479c789f9fb446b1d0bf6b6696e0780bd224ae5394641119f608e354794e68d

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
59KB

MD5
030fc22d3a9f21266a5ad9709dbf025d

SHA1
dd77ab2f30999540daa8ce0f11d2d15b9471a66e

SHA256
63b617befed6da4b2b2fc8525f339bd8bfcc83d3382611b3b1f9c35f489bab9e

SHA512
a7c4a013a0f6e37f78d040bc84ba71d7e981b3f5023fb089512a41deda947efdd632d5b0a70820da7c95a92608c9e049bfcd50dc59a6d850a7c3d3b5dbe3af01

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
59KB

MD5
e3d3aae3d9928d9e8f3863618eeb775e

SHA1
2afed54b61554c1cb42cd901a24fb2ed8d6e4512

SHA256
bdde7aab5ab2b4b822dc65854cb7aace8baf6099ad0e1ba64443734ce865665a

SHA512
eff5f98c981135a63b9ee1df3eff95d7349a20557af33c5247f082902f8b50a42af16cfbef327bdbd9a3d8c7762dc652d69c47518979ea47e89f4d016e2d6498

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
59KB

MD5
55ae5c1e107370947458e0716baf4ad9

SHA1
e4e9b885971965c74b094efd3b0afd276527a625

SHA256
f9c88bfb38d99eb6145652945beb9d97ae77840f8591faa766668f8e6975a340

SHA512
410fde81faaada8c3e23484e2a53456685093f8cfc3673adfc5ee143a1c3f2b134ea60fbf1cac443b301d1724686de28574f4dee17d552e52bf511b2045c5f17

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
59KB

MD5
c9c58090795d7b9ec1934265e0a3b0c3

SHA1
7ff10312def2b3bf03b9e5a03281c8a097146671

SHA256
3e21fa743679f86f8129ddaac846d4833c46ffee233595d66d6da19239e78f49

SHA512
7db5405728c9361347a428f26a89872beafa61a5193c8adcb4a1aa2c9c53a02722ee45a49c990a2a8b09aef5a49adc57d8ec30656feaba340a2adfdee5c4370a

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
59KB

MD5
fd87cbd92d77fd9add95a3cdbdbfbc23

SHA1
05ec67e107072ddef312781c5fd35db1e80a9d31

SHA256
587bebebca89580b6595696cf3cdec31741073deecf1eff573590d2360360471

SHA512
65ef7d701c80b3340d2033456e853b10d6fc4cb4e67f5bf0056f1bb84d895b2553998c6baab16d601bff65fd865d722e0addf848f900630c38e14a19771b19fd

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
59KB

MD5
fce1dcc88214ea036109e85164965c4a

SHA1
e2ab95590e8b142f66fec60763212729732a2c6d

SHA256
057d93b166dfbf28d1e460cc5cbadf4727817213852ce2459ab729a85604b13c

SHA512
83d4b247d8c98165248a87fe0fe600f3aed01f488a7064d52d3a343ade2a240e49b3499acf8c01180d0afabd48d4fd32febaa255569fcbc744af55f14d6ec6a0

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
59KB

MD5
6ec1ede8cd36289631cfa04f76efb858

SHA1
b06f5ff0780a21ea3c40a33ec5dc6071718d1ac5

SHA256
24f0cca11af83345ca2eba933405e5de9ff0727de67b9c1137969434b8ae5de2

SHA512
a715c6e74274ca79df9c212292d99c4c4f7b1d6b7ffd6a0497cb7488d75165e89263bc80f935885bf89aa260f7c7fc15240c7fae190ff59950b4638f0bdaf078

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
59KB

MD5
9fdb377a8e8f99a4cec7e3ba401c33b5

SHA1
06ffb52a3994c3b0d411844880755d40897a7db2

SHA256
90bbcf23ff199e342cc19f8b11ee3aa0d2cdf038a794177fa65a620e3d5410e9

SHA512
e603b7a4f2cab78bcb69a7eaeecc2c73c28d07f77c9ca13004595cf6b12b2dd3d81bf190c87401d0bf328897eb573a6f7eb8ef2c4dd84536e7e55a24522e4cea

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
59KB

MD5
b0d3d90c98f12f13858e7b0f21de8241

SHA1
693f9bc078de1b9bb94a3538b66c61e941c1c570

SHA256
e1c17776d87c907e8bd8913dde10a5cde29c9c13a1e861f1aee27b282938420d

SHA512
55b01ec4c365c451873b63b7692f8203b0f3be8b09f346e9f5884b06211d93ee8467c5964abc37980a677ae6fb94a3ba7c61c350965b0e5e87a17a8cf53d5662

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
59KB

MD5
ebf09493e2080b7675ff278537b41519

SHA1
d9f4d135c07d91ff30aec7e48da00df905fc3621

SHA256
28b1caa0250ddc91106d2fcbb6fdf6c951c864955255fd66bbbbdeca6b1384c4

SHA512
02a0d0183f356c2c59c29d9bbbb74a647edc9b7da9397e7531b451bed048fb0a8bf1701f3c6a081e3ed21c64160cb23259d1e8c66555b1661730c6dc0b4bb3ab

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
59KB

MD5
97c7357cadbb6dee306559cdb8e32fca

SHA1
d3c08abd26ecfc23400389a87e66c1fe1ba1db77

SHA256
6105043d315dc0392e4a6d056f0908118be2aa1f527aba8a478805ef53cf63c9

SHA512
096c8afa694f107411e8e7242a86f9446746788fdb8f6b642856aa2239199b6aa0b6bc491f35d9eaa464f4d30fc8ca4d2ad613fa1b646105b4707cf75e681428

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
59KB

MD5
d64c94ef2ba1b1a921e661ca79018b60

SHA1
89d126ce4157df12d410461c02fba7ca89ca962a

SHA256
5109b1dbd49d1cfda50603568a6457e81e6017954e04a3a0335e8d6d75aec762

SHA512
4e6b9e630bc92b10feed3e8c6afa057afa1bb0398b02f804bcb2f22d98f52e07bfc9e9e01c48e63bda7933be550eb81f7d1a42afed7c2255ec6e9ca66f0e231b

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
59KB

MD5
b09b1a115d6d45568d0d2a5f78db31ed

SHA1
163b27058d653bdf8a71c7420efce96ed5e81cf3

SHA256
46fcea78273520b1cd78aae25aeb63d9efc064a9570ea925ce892cf3163e2e73

SHA512
3567bafd504a22525844815420db8c2c135afebda29658f2ece8881367180762c3c295f10f2bb81d5ecd990045409af4546a5262566c6d981e84ed670cba2ed0

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
59KB

MD5
af9efe2953a34d6ad44c4d616178c83c

SHA1
dd57dd8be3c2fef70bd3eabec359b459c1387fc7

SHA256
8b36a600f257f8b571ffacc282db24a4da5cd6683e4cebcdb3bc4e1f084eb22e

SHA512
04673365c060c3291eac8c9311e8fe378042fc89c96145c39c1e9bb1f1438c50a75c7873d4068d8cf8155c25bddd2d2c6cb4591f0a3499608bec107a4e18e56d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
59KB

MD5
b9a86c035a64132be5720046675cbd6f

SHA1
9203f3bf47a7e835c5a5569d8edf983ce2ca5d76

SHA256
a9a75eb09c8b56c73e57d79d26e3625fd7078735f56dc256bdf96427a901ad5c

SHA512
408380754557887faaca8a3856fc639763cd4fdc532ffb3d9de4c0bb159d8bb22206b28647badb45662714f8fec891a598f50053c9f3207430910b7461c65732

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
59KB

MD5
11a00a703b44c70756ed8cc9fe1ae530

SHA1
559d8aec82398bc6af6aca8c829ef301b647b173

SHA256
c8b14ca9e2041d59f9ccce76235b9db2fc71cc1cf7e7717be7f6fd1d760a7917

SHA512
35b77dd668749120e03c4b4d769cc15301798bd20760b7801269f9ff88a5e3860823b894d141ee72069e3f60629442d12f1a3430c156accc931139779b10651a

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
59KB

MD5
23383ca71c8e1f61d7582c9030e3a8be

SHA1
f7d92a8116cd4e498d0d38efaf69cdbcf36812e1

SHA256
06d6b6f9ac498219ae8fff26c6775b6e226fc7858aee5c35d68cf50a602484c0

SHA512
0c2f50494dd2756aa5d5e051e701fbe3cd883952bf35fb981384c36818663c478a1cd5419d8af6b7ec2143391066ffa47f5d30aab81694d6d185e968334667dc

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
59KB

MD5
b295d90c1349f46026325e1467c8fca7

SHA1
d251cce9d827d4e63b801e419f771fa76befe800

SHA256
f6e6a33ed73cf6fc5a51250aae2a96e8f07846d4cc4035f23747f14cb851bd85

SHA512
0676a98173fc9f2f6cf6aef6d9388d02b721107f1099761ee2f45b367b8f013026d8c658a26a7d92e23922a6e9677a6a697ea1a4159b926697f5b33b94cc0faa

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
59KB

MD5
449e439d8ef1fc89669440e617b3e46d

SHA1
3784a1a2d8de1c5a4cb341bfe61fe3946d986864

SHA256
fbc8847d3fd3abe7449864f820be0359b07a71c1968a58b5de0b31c7779eb84a

SHA512
6e54662b9c3b6e738eed91a8acb4e596014fe589596338fdf6c6e792f4e88abf893ef5eefca0e336b9ee4378fc7c14b8bf23125440d4f84f8755a6997c197cdd

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
59KB

MD5
50f1855b50bcca978998cf05f42cc8e6

SHA1
7811c7df40ca72b37a8cda1fb0f4d81a52ce04cd

SHA256
fbe719c2fff9d6552ff8071ca7a2c2c048058deb1dad98a12692b3a4104d6405

SHA512
6308430cac49f744009ea52b10bbc7f209d8a8603572dc4032fce7e7c264df0380ee806f4ba20dc5394eab8ec1b6f0406026da1cd7c28f4394c2f1af35e2a725

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
59KB

MD5
d5ed09380c1cccd926c00cfa912d1013

SHA1
51d8d4bcc9ea0b67eb215d87f4a4121da9c2dee2

SHA256
8843f7beaf535292257b1f1f5ddfd3ef9a418287ca676ab7591b19884304c8cb

SHA512
f52c774e886f298d49bb64b0d1e4b266a9bd6f765a5a5a6bebf2deabf015474cc94f775de7eea53b1a02efac2593526f5fb69188ff72341a04ab98b938f50874

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
59KB

MD5
ff3964c7903dbae6651d23c15baae1f7

SHA1
4e5e5ce0d83d0fc05dee9c9810a5b9a7b679a973

SHA256
27fdfcba0dedbafc65f476667d52572869d6e958630af4a99103fce544e22c6c

SHA512
ca08f12e890fa2266cc94d981d304bd894f9425b22c576b274e7de1c7096ddc1a758ab8c4cce9ba0202b6a6e2fe5082c7e96b78a2f65277cb8c0e3ec0452700b

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
59KB

MD5
a8d9600b32b8946311fb19e86f1bec53

SHA1
dfeb94cd1831ba69239d51dfa2523df80c00bf37

SHA256
2291cbac9ec64856213b4784cc36401d858aadd976bbf0033b2c46a3a0ed1cd5

SHA512
1fb9e24af2528a48084006946155dd23055b6a950eb166ff18f01d6f22910c9d0bc28b8e604f3b081e264888246ded56897dd9680040512cdbce9ff7197fe642

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
59KB

MD5
2cdbad2132b195803e5ebb3d314c23c5

SHA1
f4fc3313bb39501ba67a16e81721592606e57be5

SHA256
fce1497d6fee68f309f44a3572f6ae3e807d218576eb857f8c8cff2f288eebe2

SHA512
61c232610686115c8048bdd07f2e85b56fed03762d5fa072f93da575be45c2f6a777c2ca8c270348ad0863e7b84c4eeb66449699e78b631564fdfdeb9cda4468

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
59KB

MD5
fd0a8b5582851438fc2d560bf92a02b3

SHA1
19ace2638958ea50b311fb43b615aef464872322

SHA256
2e7d6ea7173cbd13922854314950fe69aacd1c70e4a0f042939641314e6a9cf8

SHA512
93a09fc280cf8eb2c2ea24eaf70f25b7c51873142650e472c8e87729bbbdb3223d60aece432a2767e943843273a47f6a88ffa96890fcab0e670041c9ccc457d4

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
59KB

MD5
604c931c1283e2d7f1b503fd472f130c

SHA1
46027778b359b7d7856d07b900deeefeaa33ebe7

SHA256
d3bfacc2a51d239abc34364702aeea4820b81881a0fd214561f763e4bb9a208f

SHA512
e8a97e567b299ffd51513e57c6ee939eec745fd0cfe6e78d3df20c02b5a76f093d77dac9c5922b6b5fd1ced7bb688c8c39982e5f4b08f5736d42718a24c71355

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
59KB

MD5
1e0c5ef0643d0e64c2a6f761fd1e2192

SHA1
c6fdb4ee22df740066b9e94c5067ac17860cec14

SHA256
8226c602ddbb3d8a50606a0150bd1677b5c5ef6f7989ddb7e9d0c7f02274832d

SHA512
39fb0b120cfb34e2422fffaf5aa9f3ef771cac27813c30ae02e284663fa59f6a891c12647b964163570f2913c861a27827a1724b68c01d0e179f0ffee7cc663d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
59KB

MD5
ab0c2311e4481cb255644e1aae3e4399

SHA1
2fd608cc2bc9382ba0f6275f5db19dd30e47c60c

SHA256
3f814efff6a409146d37e0340f481e97acfeceecfd069df7258ade42354f46f3

SHA512
51921430ae6462ef8ae1276364b6e2c84ce4d900c8e6a2242f967799cdddb32c0f336a16ae4a0afc54bd75cb64206c0c3a3c2c9a3e63cf950105856230671e40

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
59KB

MD5
856b5e83ebc3f44953fa53102236ff61

SHA1
17481649e1f6ebf251fffa24a0c4bba56434f2b4

SHA256
02089184c50171861580474eb882482cd86f3acbecf0d1759b1ea097b56b6cab

SHA512
36564f01f0b20e02bd0a61de44106dab542151304a416e06fd212c0526053265d2fd35b5836b14a34df77baf50fc5efdef369bdeac071985309bb4a5df3a7fbe

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
59KB

MD5
72d04eec5f0b377d2c347fe41239153d

SHA1
7d9b2f558e88700fd49e9fe48758b89facc78517

SHA256
038def70db470f63f51f757cd2d250c1983202ca6f18465b16b64f7ded0f5ae8

SHA512
5ab6b21608fd2ee4fb5b161985049494f2a7c5b699631d48dd65b4afdd6b96845d78daaf908374d3ddb32bd1cb9cc82b29bb3dc952292b4321336ec70bf8b404

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
59KB

MD5
5e5929c1eced8ef89d533aaed1123d14

SHA1
7fffb2d2d49d6f8eb4b37215162309c1e3c96420

SHA256
c8604d8ecc587ad7df0a67ab38b5b13369278412b3df2fba00282b1bf1b6b67b

SHA512
d56efe98bf7d50ce54bcfe1efd257f172c3b0207abd8a2d20b017b1a01673227216aa09b058c1c6943f58b44f67b14a870d8bfb42d399507db3d4e873c3957ca

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
59KB

MD5
61d7f9ada8968e227450b45511c72ebe

SHA1
29d6341037fd3aeba6a14ef86c0f632a8dea5ebf

SHA256
a23d76fe6b06760ba4f0c185e8e4dbac5fc2c3de522ad78b29c3200ca75616d4

SHA512
1a645218f5e6cf56cc96904eeccff6af8e1f37d3f37144278153f1006c402b96cf0bcc493c3f80fae869d0d54228da914f658f9703292a7e49a1858bf4ea8fc1

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
59KB

MD5
5e3a29a2227ed5373e467d27bf8e1dc8

SHA1
bc795c3dfdd0e152c26d52fa2be4aee886bcc381

SHA256
ab4db734f692723765fc9ab726f659786b497122ade87c7e73e91c0c6171ea1d

SHA512
ff00a97325681cc0900a09ed0a3a265115768dc0b39de1c1c07ce4988fb22f60a63a98192ca04044a071fdd817e2e38395f70ac4fe677c7c0f84f0163ec30f72

Download Submit
memory/412-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/412-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/652-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/652-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4208-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4460-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4460-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads