d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4

Analysis

max time kernel
136s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe
Size

465KB
MD5

b780fccc13f330420f1f210a89068930
SHA1

f4ef0e4476416bb12c0fff72265a3c9a9d4496df
SHA256

d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4
SHA512

52c85bc43c33f0b62f26db5e82e784d11988c200ecfbeb2ab3cb3c91c82acfb5f30d1077ab290aaa4de3e84cb581b681fdc9af09bdc72ba523821654295b87cb
SSDEEP

6144:+vUzRJR9lvhX0PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR:B7hvz/Ng1/Nmr/Ng1/NSf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe

Executes dropped EXE 44 IoCs

pid	Process
3876	Pjjhbl32.exe
2476	Pmidog32.exe
3780	Pjmehkqk.exe
4964	Qqfmde32.exe
4108	Qnjnnj32.exe
2812	Qcgffqei.exe
3380	Qffbbldm.exe
1580	Anmjcieo.exe
2480	Anogiicl.exe
4544	Aqncedbp.exe
3308	Amddjegd.exe
860	Acnlgp32.exe
3292	Ajhddjfn.exe
4580	Aabmqd32.exe
3740	Aepefb32.exe
4736	Bfabnjjp.exe
3324	Bnhjohkb.exe
1932	Bjokdipf.exe
3484	Beeoaapl.exe
2796	Bjagjhnc.exe
1628	Balpgb32.exe
636	Bmbplc32.exe
1244	Bfkedibe.exe
1808	Bnbmefbg.exe
32	Cjinkg32.exe
1124	Chmndlge.exe
716	Cmiflbel.exe
3548	Cjmgfgdf.exe
4956	Ceckcp32.exe
3952	Cmnpgb32.exe
812	Cdhhdlid.exe
3552	Cegdnopg.exe
4716	Danecp32.exe
3488	Ddmaok32.exe
2432	Dfknkg32.exe
4992	Dobfld32.exe
2392	Delnin32.exe
3520	Dkifae32.exe
4728	Daconoae.exe
432	Dfpgffpm.exe
4348	Dmjocp32.exe
4280	Dddhpjof.exe
4868	Dknpmdfc.exe
3224	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	3224	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 3876	4832	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe	86
PID 4832 wrote to memory of 3876	4832	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe	86
PID 4832 wrote to memory of 3876	4832	d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe	86
PID 3876 wrote to memory of 2476	3876	Pjjhbl32.exe	87
PID 3876 wrote to memory of 2476	3876	Pjjhbl32.exe	87
PID 3876 wrote to memory of 2476	3876	Pjjhbl32.exe	87
PID 2476 wrote to memory of 3780	2476	Pmidog32.exe	88
PID 2476 wrote to memory of 3780	2476	Pmidog32.exe	88
PID 2476 wrote to memory of 3780	2476	Pmidog32.exe	88
PID 3780 wrote to memory of 4964	3780	Pjmehkqk.exe	89
PID 3780 wrote to memory of 4964	3780	Pjmehkqk.exe	89
PID 3780 wrote to memory of 4964	3780	Pjmehkqk.exe	89
PID 4964 wrote to memory of 4108	4964	Qqfmde32.exe	90
PID 4964 wrote to memory of 4108	4964	Qqfmde32.exe	90
PID 4964 wrote to memory of 4108	4964	Qqfmde32.exe	90
PID 4108 wrote to memory of 2812	4108	Qnjnnj32.exe	91
PID 4108 wrote to memory of 2812	4108	Qnjnnj32.exe	91
PID 4108 wrote to memory of 2812	4108	Qnjnnj32.exe	91
PID 2812 wrote to memory of 3380	2812	Qcgffqei.exe	92
PID 2812 wrote to memory of 3380	2812	Qcgffqei.exe	92
PID 2812 wrote to memory of 3380	2812	Qcgffqei.exe	92
PID 3380 wrote to memory of 1580	3380	Qffbbldm.exe	93
PID 3380 wrote to memory of 1580	3380	Qffbbldm.exe	93
PID 3380 wrote to memory of 1580	3380	Qffbbldm.exe	93
PID 1580 wrote to memory of 2480	1580	Anmjcieo.exe	94
PID 1580 wrote to memory of 2480	1580	Anmjcieo.exe	94
PID 1580 wrote to memory of 2480	1580	Anmjcieo.exe	94
PID 2480 wrote to memory of 4544	2480	Anogiicl.exe	95
PID 2480 wrote to memory of 4544	2480	Anogiicl.exe	95
PID 2480 wrote to memory of 4544	2480	Anogiicl.exe	95
PID 4544 wrote to memory of 3308	4544	Aqncedbp.exe	96
PID 4544 wrote to memory of 3308	4544	Aqncedbp.exe	96
PID 4544 wrote to memory of 3308	4544	Aqncedbp.exe	96
PID 3308 wrote to memory of 860	3308	Amddjegd.exe	97
PID 3308 wrote to memory of 860	3308	Amddjegd.exe	97
PID 3308 wrote to memory of 860	3308	Amddjegd.exe	97
PID 860 wrote to memory of 3292	860	Acnlgp32.exe	99
PID 860 wrote to memory of 3292	860	Acnlgp32.exe	99
PID 860 wrote to memory of 3292	860	Acnlgp32.exe	99
PID 3292 wrote to memory of 4580	3292	Ajhddjfn.exe	100
PID 3292 wrote to memory of 4580	3292	Ajhddjfn.exe	100
PID 3292 wrote to memory of 4580	3292	Ajhddjfn.exe	100
PID 4580 wrote to memory of 3740	4580	Aabmqd32.exe	101
PID 4580 wrote to memory of 3740	4580	Aabmqd32.exe	101
PID 4580 wrote to memory of 3740	4580	Aabmqd32.exe	101
PID 3740 wrote to memory of 4736	3740	Aepefb32.exe	103
PID 3740 wrote to memory of 4736	3740	Aepefb32.exe	103
PID 3740 wrote to memory of 4736	3740	Aepefb32.exe	103
PID 4736 wrote to memory of 3324	4736	Bfabnjjp.exe	104
PID 4736 wrote to memory of 3324	4736	Bfabnjjp.exe	104
PID 4736 wrote to memory of 3324	4736	Bfabnjjp.exe	104
PID 3324 wrote to memory of 1932	3324	Bnhjohkb.exe	105
PID 3324 wrote to memory of 1932	3324	Bnhjohkb.exe	105
PID 3324 wrote to memory of 1932	3324	Bnhjohkb.exe	105
PID 1932 wrote to memory of 3484	1932	Bjokdipf.exe	106
PID 1932 wrote to memory of 3484	1932	Bjokdipf.exe	106
PID 1932 wrote to memory of 3484	1932	Bjokdipf.exe	106
PID 3484 wrote to memory of 2796	3484	Beeoaapl.exe	107
PID 3484 wrote to memory of 2796	3484	Beeoaapl.exe	107
PID 3484 wrote to memory of 2796	3484	Beeoaapl.exe	107
PID 2796 wrote to memory of 1628	2796	Bjagjhnc.exe	108
PID 2796 wrote to memory of 1628	2796	Bjagjhnc.exe	108
PID 2796 wrote to memory of 1628	2796	Bjagjhnc.exe	108
PID 1628 wrote to memory of 636	1628	Balpgb32.exe	109

C:\Users\Admin\AppData\Local\Temp\d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe
"C:\Users\Admin\AppData\Local\Temp\d01ffc3ba02a9ea7309b505dd0e0c6fe6b424aa585e8c441aee848fab03cedf4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\Pjjhbl32.exe
  C:\Windows\system32\Pjjhbl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\Pmidog32.exe
    C:\Windows\system32\Pmidog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Pjmehkqk.exe
      C:\Windows\system32\Pjmehkqk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        45⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 396
        46⤵
        Program crash
        
        PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3224 -ip 3224
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
465KB

MD5
3a97823608158d7b00703ab3c7db6017

SHA1
8451da98c9cca30543ac810ed68f9a88fd2e936f

SHA256
ca7b05448979a4e9d9d8f9f12c120efb4f3adb334ab7b1cce813e125d6494f2a

SHA512
8f5650e094919a370ce0fbeb5a1c52af1a1f54d9b9816f9453dc1d1b0fa06f50993da4bb1f02a43f48345e533a4184abd43f0ef4a515269f412be45f52bccf22

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
465KB

MD5
83454b47c975afbdd040dac94b25adba

SHA1
c790bbe33f9fc93d0713ae7cb0101cc203e4c663

SHA256
a72a27db95078a5983c50214799491a95f27ef534133d4b8bad1788296c57fbc

SHA512
7bfc3215899f0bb5d49dfe211d3d0228a30bd5091c6181281ff635d32547c0ee2a5832919e33962375d1921c944c5ed2321159e1515e3af1ecc04f2c84bd5941

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
465KB

MD5
b379f640e7b63cd1608de2094deb7879

SHA1
9916c483832d2363223128773d236862fbe562b3

SHA256
8c5b56c60da1a19b7e38bc52225ddc96456708766fd00c42660b8c6687960004

SHA512
aab256d5eedc9aa3158665466f2fec14c4537a70768a76362147d659abf65dc673df86108879c05605ae2139f553582ad93ab8e0a162ff5ea8de2ba277f632b0

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
465KB

MD5
c18952e97187a5a93d8da595880bd530

SHA1
1441a211e383cf0173231dd1a777c3fa6e1e8e59

SHA256
d204de28e09cca902c22d602b946a3f3f58ca9c078e689e7e6ea16a862a7b50b

SHA512
5110448d12a3525098f98dceb95e162f7c129968f0f33c6a4fa431fe8e18f274077fa4cd447020e9c42c6361ccaa119b07dadc60ec179459741c2be893a3ce83

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
465KB

MD5
52e7a38ac4ababef06a8f2ef049eb2b1

SHA1
4ddf83890ae5491dcf4791fdc089f9f074a30542

SHA256
7676d00c52cd9db4db4c5f8dd57c4aac968ddd57ec22a20ce353392144fcd466

SHA512
e5cf6b4e6bfe0b59eeea9ff38586f71d5bcd96dfd45aeb1c7ae4855a005128b59cf7081c97df7b0a96e5f4e15c7540950ad473985c6af8e02e98f0019325a77e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
465KB

MD5
4f65645844b86a2a665e5723ac8eb433

SHA1
0e971d41d60b2fba5655283e78175a0f445e085a

SHA256
f3ef67c1fe8c6cd56c2628711a4fcb2985981551f84e5dc4f32f4413122acc84

SHA512
122bbd0aaf6bb63caddaec5212acc52a070c91a333f2201571f37c0aa042d2bf8719c9584b41f2e30a8efd4dae857c3ba252ce489e411f1aff1c8ddfb233e59c

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
465KB

MD5
a6f33a4d9b9428cd0ab9fade513c758c

SHA1
d588efb5280bd5ecb19db53e758601e6f0f352a8

SHA256
12d2450f5a6be06e3875f2330217e406303bda557cab7eb9b2ebbe74e431938b

SHA512
404cbb95b2c7ff4cbe002f839e0cfcf1235d34015375d7a87a9a1c340efb8ff112d78dde697578174e36b0455f4e6eb6a53bea8c520fddd773e72ca549a41bc7

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
465KB

MD5
05ccf9e6a646e7a2b75d9aa39f2334ae

SHA1
734935ff6fa8b5bd0c79659369812419a1c02a8d

SHA256
fa749eb5003a3c8a3ec39b2225d10815520dcd7e5eabff9a33cc4b01afe981a2

SHA512
b3d17213d2d800bd4f09e2c5eb0fa81dde5382c8204dd10cf408858b79ff3286472d1c1f70154c3d81a8f2ff8c56694d7cb6663f742cd9227888a58c2be7eb9c

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
465KB

MD5
864cf1960c84b5b114385183374f0746

SHA1
369d7b2173f2eaacfbf76e3ec752239c188121cc

SHA256
b0a304e565b69b3b22e02c11c679c7366d93b25d60436fb216dee5a18d27047e

SHA512
8926bae9f1a05180394f6307bf11d8dec258e779a2d33d650912df76cd61f55e9fc5e800ed9182f920db8fd58953e3246fb33a95b74745411ef507f7b7f96c41

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
465KB

MD5
f6abd88eaa49652dcd79a831b9de32a5

SHA1
e60408e401312535b6335a912a8568fc35332145

SHA256
cb79d5ee20c60a9aefa716ec3d8ab76be928ff400d6faca9e5e3ce35ea8878be

SHA512
2d63561734b264fe1559290bed9fdf765a4c091def94fa92b8a3cb052d9ae9138cc9a7be6af844d4dc9ea9c3099bb969efeadb36920ff00ef72e9f32b0efa4c9

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
465KB

MD5
1b65449d6ac3e73f28af59c12a3ede5b

SHA1
e71d11bb71487da81e50e929b07e6fd0a1dc860f

SHA256
611969ec13990080e018726128b3a315566f9e9968f86546e33995ca8eb59248

SHA512
e6dd39b7f966278f4689ceea02ccc994027416cb20b79be03523fd6c15f27ce8ad8592d921d0a705ad2003ffb7f553993f93419a1de363e156965fb705880df7

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
465KB

MD5
6d75e3c08b38fe539fe2c158d687287d

SHA1
4bb1973dd5d725c64aa74726e9876ffc36cb6993

SHA256
de32520a129b658c4631881827e17f96bf4957ba61bf5df5e03a6f7c642f0600

SHA512
b273211013e38fb395a39cd4db66b9f68c69a2e70237e8b68f50d0bae6f4f21ae070c7c6635bfc6f995a89a36cb57c26afda1adb562ae84f6bf519daec2b46e8

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
465KB

MD5
a36d592d26c36f231c5df70e4f47a50a

SHA1
2b5421cb1a3bafa2558cc58134bc7478d78a9a1f

SHA256
73a695613216915e74c6da69f32cef92ce64f59e4fef274087f8dd4090cf2782

SHA512
050238b04bb965a1f7e8521591e19b969e2f82e400a31e44d0287da40075c849e77bae09ff02b8ca9a842997f3216e9288643eba6c57343e27e1ba4c1bd75f4d

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
465KB

MD5
b09c1d3746d54df92626b12cf1b53108

SHA1
36a4f9a8835ea9745b23215a7adf4e7ea96cba58

SHA256
ef5a5a00217c19b5270d48ccc51909d44bb665c9bbdcecccb9e2c791c5a92bcf

SHA512
31809df4ffa5d081155c25a765b1473ac915ee5d9c2800c4ed4daf654aa3a6fefbe43d5940a309691d183c0d95223417c03c5a6175fbffe4c3d9edc178bd9045

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
465KB

MD5
4867a68a6869a50bf7480fb7b440d9e8

SHA1
02e2cebff5a4c79b3f432b5a42aa45e90d07f9c1

SHA256
5acc6a3f1400e9b838949ba5818b9c3c9e51c99f59a4f2f0c983c733fc842df7

SHA512
5d2e58c520a47303d3595f900ac06959184e9b7c908b387e1d0bb81f8f3bc3762b2591b5086f5e5d2372fe74ccc58af0ccc8115333c604e76c4aa9231c7a74b4

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
465KB

MD5
b57f5ceafad84dce8f5c24472e12cf27

SHA1
3eed9bd56232ab1b807cbe4ac5e2a16adf30efbd

SHA256
37245c1c94660c73ffa2e20a6441371ab7f3c7ed036129dd7dc0d0558802b27d

SHA512
113bebfd9a82d1155fec1628ca0b4b4a31bbdb2970b2f68ba09a105f8b276e973e88fc562f0e9e0c188fc05a2ce40591e936324c5ad45bbfdce705c092782655

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
465KB

MD5
324657f23685cad6b2b147e29c308bd4

SHA1
b77337b30618c823ad2ea9a0a9d83d2a7d1bec13

SHA256
e9d9e454e5da612653a2ac6a160cab2d496ccf6868566a4f966c0ea1d8b62557

SHA512
0fd98e5585e280145cac114ae85601e8d91f2c16ddf51a8c57799f01417bdf8c51b8aa7a322cb8b8b3798b8b75696ae44f33425f7b765e0c0512f2975d767255

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
465KB

MD5
c971f38c308c9e7aa6c1d3c1de00dfe2

SHA1
76c7d95778fa102802608b07fad8401ed228e579

SHA256
3d99241cc4fbe7540d6542c8bec90ec702ec3c9cc747500dad9549efa7406ede

SHA512
74e4ab15d363d2142aadb4f297a766684ec289dc49702cc99b802ee276d65752a65832e71a72fa5368603e403e7b9730523dc27fc6a11d87b601122f40a741fd

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
465KB

MD5
d261eeb8668028762603d7dab7ea4102

SHA1
37e479e8f1b1481978cb7071ed321d8424e4cbcf

SHA256
510c370b8fef99091d1aa406e47a8e35ab6bd1907ff1c88087e7b4c5e7993cec

SHA512
078a8dc228ef53d6eefb39828747827134528537deda27705e3997c237e3cbd6b44790efc1ee2d89050a544a02e63bb6f19668cd8e8adbe932c797002cd88e82

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
465KB

MD5
fb4c4a4b8fcb6b72cb51f6184d8450f1

SHA1
b92fb99a5ce5cd772b0d8def8293edfa6cef0608

SHA256
e1a0a6bc5ba5426fffac9f54478895b28372a62c6c6360e77968416d758f5367

SHA512
38b953bf47177d4a33769e87d32cade35fe15409e67d76e8e6ca914cd773956809759084fcd402983723009226f8b78bc86fa58e6bf61d9c57e38d590f51aadf

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
465KB

MD5
01532b17009cc86deaf0477708219b2d

SHA1
d452d88334c1e467ae5ad40feadceadf281719e8

SHA256
87e62176b65cc6fbc9164ce048d2f85cce188fae366e75cada6004ca256fe839

SHA512
3b4179caae8ba7f6db774ba22138ae4eab20070a2181440ed3acb4cb962b7e54b26943bd726c4daf90445a7dfcc019550a41c050bfc100dd6a7f5cc6d75e7e12

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
465KB

MD5
bccccac8a9450b85fd0b5ae5319ced5c

SHA1
372925d16e11f72de2635879d460cd8ec0f1b402

SHA256
60e9ddc68502a82e600109e866e5d2f6fefdc87496b0d2fbf1a69efcfb1fc7ea

SHA512
0c1772ccb886bc90cd3e442b8d3af6ab068d6cc919d8bc9825dd199030f7ab5be14dda1a9c6ac13da3d81b8886e57d2519362d395fda93007b8f338d52231f2f

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
465KB

MD5
7f9872651e029f3287cd0c3c90be8354

SHA1
229bd19fbb0548e35ba3a73b8cf7009a74a62256

SHA256
93a198317837caa5f9f87e23b9e16e93eddb87837c34e3dbc802a9c8f492d267

SHA512
2946d0f3bd24cddcee81e9253c7afcc4b22146abe8f40dd9eeaa845c9229de6cd9fb9bbd1ab5bcb45f3327a15f4f8cf2184893fd3e197a455b687b0b2f7edeac

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
465KB

MD5
4e07a544f35c62729d17760b80676e9c

SHA1
8fe45d6a51cf6b8f4d2b895b3aac9a629b8c200b

SHA256
7e115d1a6d774346b58fd0902095c23969ec2a3cc45e05d6bbdc6ddd951cdaf0

SHA512
64aead89391ba10d04f67cb5bacbc3b0436497ecc8bb453cfd70afbdd40c7efeaf958d118c7022ce0f29cc6da0791a0d2050167b94ed8d7ad1e21aba5f2bd81d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
465KB

MD5
d8576d05945072b76abc2a9104fd6934

SHA1
473d1950fff6361556bb488b93e2c2d514830747

SHA256
0edee21bdaebaef2f22597198e1552a870451e6ff5a49bcb3ecee22c3ebc941d

SHA512
e8e2a8b6928dbdcfb683ccc0f91f19060a79dc49c8e29ef52e89ce7c6cd6ebe167bbd412dfc104fcac88fe34889cac5f9e61f9942c146c5e851ac177fd4808a0

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
465KB

MD5
0c4cf66d9d3fd999cbb1419df25f01bb

SHA1
d6cf7834c449ced2fe24b52d534b18d0e96602eb

SHA256
8889af26b200f4f32bc45b2b77d52658e13a1dd18235b09dc935de276501a4c0

SHA512
3be9405a69ac4eaeb66b6eca986124e43933c542c282034e6a1cff59de89c5226ba38fd32724dcccb2871c2a08edadce9af3a0954e623defc1dc65fdf05ab9c2

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
465KB

MD5
381de4f38a43ead39daa409e2a9e5a89

SHA1
9eb78fe7dbf15c902fe7b589cea00007483e1d2a

SHA256
57816be2e034d68ecb27dbadf15580f5d80b48de7dee239000f76c8e309b18fd

SHA512
ec22d71ba4f27abe2ecb4c43efff967905e4845309c31550bb8f9668ca8c9ec2bf95136032ccba1f10eeb0570726971041c771949dce1a967767c5f7d3054be1

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
465KB

MD5
922dede98e48c2cf8061ae0ee4ad0f92

SHA1
c16095b18e4e28e7be28d9b056c681710a0d9a9e

SHA256
616087e4c4552ac1162c67c801021c21d6f3f1f5d1524cee1d0d8582a9826a97

SHA512
fb4c0391f5e3caf7c772d525f97e7c916960d6dbcaad2b018e745705fff84f01ddf6514acf122e2e0beb4f462017997faaa922f4f92a3cd926b81c41a0a2b567

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
465KB

MD5
657e837abcb6867882a3da2084040648

SHA1
320ee58c8f820dd0399e4ac234f97b37847ea8b4

SHA256
fca3bcbbca9e9a270f8d0938ca537039a20eb50297e2d1ca5d9a9fd02c9d5953

SHA512
9287c26350f1d21f0f5da1ec69c31cac3da2b4f4779c745ed73e30874cfab30190300a5866fc80c2c3df7d3f0a9a29c3db8ed866bd96c5511f507e8439b71ce2

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
465KB

MD5
290c0a2b08ce478681e82ac54f3a4e26

SHA1
f96fafe9798a72842244aa3ec9b98e69fef63b07

SHA256
5f1d83c2652733fae7f9e1f9f25315394e15166fa33c36f262555b3ee74c2d49

SHA512
794aeb1107f0479b2b94d1b03d5b0cdf91e6c7fde518949fd1ee2f1f1581cadfd4be23bca0e2d5d1720602200b9a98b5dbd468477338da4eb274b6f518da1764

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
465KB

MD5
8ba4a4e7260cc30cb74f048048d9e0dc

SHA1
ae9a34fe1d8b0986eb0c5c2de31f793c12ef76a9

SHA256
ca10960c2732145dab08fd7e65df68cf4f35aef0f633ad927061e594bc77671d

SHA512
82ab414062989cd7ac2a7c3dc090733a8c8a0190a774d02081117a6662e88bbb1192e2cf9e8fd77b4316d3c51e24e6a02ada92ae385d34e91e3b89899cad0e58

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
465KB

MD5
a4fb770c34c07341de007feec93d659f

SHA1
548efd7be8096ab58b4664b480cd70b36b4bc1fb

SHA256
80f3115fe0fb5715f9309b694b02613c3475e6a11bb4bbe28295439b7b5591d4

SHA512
7b0e3b266c02da0c7a38e196073136ccb382698eb0bf28e017a43995b63ec14d1ce1c5c9c9c29877b33a501f4215fc94d5aef89043524015c449c2872c07229e

Download Submit
memory/32-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/32-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4868-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads