2a74af1f2747b8ae342c45ff01be5cd5332a8c243afabd4a4994ad6499994ac0

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 14:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7fdb7dbf828ed78fde14a505ac497c0N.exe
Size

350KB
MD5

c7fdb7dbf828ed78fde14a505ac497c0
SHA1

662f812174509d2fad2ffd6087eabd2ea2a8ddd0
SHA256

2a74af1f2747b8ae342c45ff01be5cd5332a8c243afabd4a4994ad6499994ac0
SHA512

00da4ef9b3cdaeae32fe6d0b18f20cdb4e5bf6b8697c3d7190567c0f34b6155cb18c24f6641c5558d19e580231fccc4a23c1fbf1badb3549571d732c5fbb40b8
SSDEEP

6144:ShGxEktpHVILifyeYVDcfflXpX6LRifyeYVDc:+GhHyefyeYCdXpXZfyeY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c7fdb7dbf828ed78fde14a505ac497c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c7fdb7dbf828ed78fde14a505ac497c0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe

Executes dropped EXE 33 IoCs

pid	Process
1884	Pplaki32.exe
2324	Ppnnai32.exe
2104	Pnbojmmp.exe
2784	Qcogbdkg.exe
2548	Qeppdo32.exe
2724	Apedah32.exe
2536	Ajmijmnn.exe
3016	Aojabdlf.exe
112	Aomnhd32.exe
1652	Adifpk32.exe
1616	Abmgjo32.exe
356	Aoagccfn.exe
2836	Adnpkjde.exe
1740	Bdqlajbb.exe
2928	Bgoime32.exe
1356	Bjpaop32.exe
1364	Bffbdadk.exe
912	Bieopm32.exe
2420	Bmpkqklh.exe
2080	Bjdkjpkb.exe
2216	Ccmpce32.exe
2384	Cenljmgq.exe
2208	Cmedlk32.exe
1988	Cileqlmg.exe
1016	Cpfmmf32.exe
1528	Cnimiblo.exe
2832	Ckmnbg32.exe
852	Caifjn32.exe
2768	Cchbgi32.exe
2728	Cnmfdb32.exe
2576	Cgfkmgnj.exe
2760	Djdgic32.exe
2572	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
348	c7fdb7dbf828ed78fde14a505ac497c0N.exe
348	c7fdb7dbf828ed78fde14a505ac497c0N.exe
1884	Pplaki32.exe
1884	Pplaki32.exe
2324	Ppnnai32.exe
2324	Ppnnai32.exe
2104	Pnbojmmp.exe
2104	Pnbojmmp.exe
2784	Qcogbdkg.exe
2784	Qcogbdkg.exe
2548	Qeppdo32.exe
2548	Qeppdo32.exe
2724	Apedah32.exe
2724	Apedah32.exe
2536	Ajmijmnn.exe
2536	Ajmijmnn.exe
3016	Aojabdlf.exe
3016	Aojabdlf.exe
112	Aomnhd32.exe
112	Aomnhd32.exe
1652	Adifpk32.exe
1652	Adifpk32.exe
1616	Abmgjo32.exe
1616	Abmgjo32.exe
356	Aoagccfn.exe
356	Aoagccfn.exe
2836	Adnpkjde.exe
2836	Adnpkjde.exe
1740	Bdqlajbb.exe
1740	Bdqlajbb.exe
2928	Bgoime32.exe
2928	Bgoime32.exe
1356	Bjpaop32.exe
1356	Bjpaop32.exe
1364	Bffbdadk.exe
1364	Bffbdadk.exe
912	Bieopm32.exe
912	Bieopm32.exe
2420	Bmpkqklh.exe
2420	Bmpkqklh.exe
2080	Bjdkjpkb.exe
2080	Bjdkjpkb.exe
2216	Ccmpce32.exe
2216	Ccmpce32.exe
2384	Cenljmgq.exe
2384	Cenljmgq.exe
2208	Cmedlk32.exe
2208	Cmedlk32.exe
1988	Cileqlmg.exe
1988	Cileqlmg.exe
1016	Cpfmmf32.exe
1016	Cpfmmf32.exe
1528	Cnimiblo.exe
1528	Cnimiblo.exe
2832	Ckmnbg32.exe
2832	Ckmnbg32.exe
852	Caifjn32.exe
852	Caifjn32.exe
2768	Cchbgi32.exe
2768	Cchbgi32.exe
2728	Cnmfdb32.exe
2728	Cnmfdb32.exe
2576	Cgfkmgnj.exe
2576	Cgfkmgnj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	c7fdb7dbf828ed78fde14a505ac497c0N.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Hqjpab32.dll	Apedah32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Ajmijmnn.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Pnbojmmp.exe	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	2572	WerFault.exe	63

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c7fdb7dbf828ed78fde14a505ac497c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c7fdb7dbf828ed78fde14a505ac497c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmijmnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 1884	348	c7fdb7dbf828ed78fde14a505ac497c0N.exe	31
PID 348 wrote to memory of 1884	348	c7fdb7dbf828ed78fde14a505ac497c0N.exe	31
PID 348 wrote to memory of 1884	348	c7fdb7dbf828ed78fde14a505ac497c0N.exe	31
PID 348 wrote to memory of 1884	348	c7fdb7dbf828ed78fde14a505ac497c0N.exe	31
PID 1884 wrote to memory of 2324	1884	Pplaki32.exe	32
PID 1884 wrote to memory of 2324	1884	Pplaki32.exe	32
PID 1884 wrote to memory of 2324	1884	Pplaki32.exe	32
PID 1884 wrote to memory of 2324	1884	Pplaki32.exe	32
PID 2324 wrote to memory of 2104	2324	Ppnnai32.exe	33
PID 2324 wrote to memory of 2104	2324	Ppnnai32.exe	33
PID 2324 wrote to memory of 2104	2324	Ppnnai32.exe	33
PID 2324 wrote to memory of 2104	2324	Ppnnai32.exe	33
PID 2104 wrote to memory of 2784	2104	Pnbojmmp.exe	34
PID 2104 wrote to memory of 2784	2104	Pnbojmmp.exe	34
PID 2104 wrote to memory of 2784	2104	Pnbojmmp.exe	34
PID 2104 wrote to memory of 2784	2104	Pnbojmmp.exe	34
PID 2784 wrote to memory of 2548	2784	Qcogbdkg.exe	35
PID 2784 wrote to memory of 2548	2784	Qcogbdkg.exe	35
PID 2784 wrote to memory of 2548	2784	Qcogbdkg.exe	35
PID 2784 wrote to memory of 2548	2784	Qcogbdkg.exe	35
PID 2548 wrote to memory of 2724	2548	Qeppdo32.exe	36
PID 2548 wrote to memory of 2724	2548	Qeppdo32.exe	36
PID 2548 wrote to memory of 2724	2548	Qeppdo32.exe	36
PID 2548 wrote to memory of 2724	2548	Qeppdo32.exe	36
PID 2724 wrote to memory of 2536	2724	Apedah32.exe	37
PID 2724 wrote to memory of 2536	2724	Apedah32.exe	37
PID 2724 wrote to memory of 2536	2724	Apedah32.exe	37
PID 2724 wrote to memory of 2536	2724	Apedah32.exe	37
PID 2536 wrote to memory of 3016	2536	Ajmijmnn.exe	38
PID 2536 wrote to memory of 3016	2536	Ajmijmnn.exe	38
PID 2536 wrote to memory of 3016	2536	Ajmijmnn.exe	38
PID 2536 wrote to memory of 3016	2536	Ajmijmnn.exe	38
PID 3016 wrote to memory of 112	3016	Aojabdlf.exe	39
PID 3016 wrote to memory of 112	3016	Aojabdlf.exe	39
PID 3016 wrote to memory of 112	3016	Aojabdlf.exe	39
PID 3016 wrote to memory of 112	3016	Aojabdlf.exe	39
PID 112 wrote to memory of 1652	112	Aomnhd32.exe	40
PID 112 wrote to memory of 1652	112	Aomnhd32.exe	40
PID 112 wrote to memory of 1652	112	Aomnhd32.exe	40
PID 112 wrote to memory of 1652	112	Aomnhd32.exe	40
PID 1652 wrote to memory of 1616	1652	Adifpk32.exe	41
PID 1652 wrote to memory of 1616	1652	Adifpk32.exe	41
PID 1652 wrote to memory of 1616	1652	Adifpk32.exe	41
PID 1652 wrote to memory of 1616	1652	Adifpk32.exe	41
PID 1616 wrote to memory of 356	1616	Abmgjo32.exe	42
PID 1616 wrote to memory of 356	1616	Abmgjo32.exe	42
PID 1616 wrote to memory of 356	1616	Abmgjo32.exe	42
PID 1616 wrote to memory of 356	1616	Abmgjo32.exe	42
PID 356 wrote to memory of 2836	356	Aoagccfn.exe	43
PID 356 wrote to memory of 2836	356	Aoagccfn.exe	43
PID 356 wrote to memory of 2836	356	Aoagccfn.exe	43
PID 356 wrote to memory of 2836	356	Aoagccfn.exe	43
PID 2836 wrote to memory of 1740	2836	Adnpkjde.exe	44
PID 2836 wrote to memory of 1740	2836	Adnpkjde.exe	44
PID 2836 wrote to memory of 1740	2836	Adnpkjde.exe	44
PID 2836 wrote to memory of 1740	2836	Adnpkjde.exe	44
PID 1740 wrote to memory of 2928	1740	Bdqlajbb.exe	45
PID 1740 wrote to memory of 2928	1740	Bdqlajbb.exe	45
PID 1740 wrote to memory of 2928	1740	Bdqlajbb.exe	45
PID 1740 wrote to memory of 2928	1740	Bdqlajbb.exe	45
PID 2928 wrote to memory of 1356	2928	Bgoime32.exe	46
PID 2928 wrote to memory of 1356	2928	Bgoime32.exe	46
PID 2928 wrote to memory of 1356	2928	Bgoime32.exe	46
PID 2928 wrote to memory of 1356	2928	Bgoime32.exe	46

C:\Users\Admin\AppData\Local\Temp\c7fdb7dbf828ed78fde14a505ac497c0N.exe
"C:\Users\Admin\AppData\Local\Temp\c7fdb7dbf828ed78fde14a505ac497c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\SysWOW64\Pplaki32.exe
  C:\Windows\system32\Pplaki32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\Ppnnai32.exe
    C:\Windows\system32\Ppnnai32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\Pnbojmmp.exe
      C:\Windows\system32\Pnbojmmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 144
        35⤵
        Program crash
        
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
350KB

MD5
80506f132a252c78973b52a65a643372

SHA1
c839f83d2cb8a19a8a1d1d891f47827a05ae59f0

SHA256
66f1b72e12274f5687a9a53ba5bac7668b298d1fdcc755b30c274a8229b5e104

SHA512
e987844e9d455ac650d20e4519cd7b3f8dde0202435c03338acb6221beccdca5d6cfb57f2f55bdc7027aa5e9529312d5edcbf0af56a743630235474d7e3dfcaf

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
350KB

MD5
8dc317c04ba6496141807cdbc7d40c29

SHA1
ccbdd0da6ddd25ccfc779c8fe8e3c1aa5d9fb45b

SHA256
f851b725011dc17920b4635e62287030d7205a2c55b611afb3e4e6b14851f63c

SHA512
e0f379f9780681a40acf950aa2ffb1cbe34575994e8761d94cb1ed8b91828d748943bb4d2e6daaa4267fcedafbc508de012e12f3342315784d44c180dbf9e08c

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
350KB

MD5
f70a3bb7be634c2863f67a34d9355b0d

SHA1
f9bacdc3bfdf0100e406657affb8f80c402076a1

SHA256
6f336a78fdff2c584c8a639109bd58cad90ecb07c9345aa652cd398d9cb602e9

SHA512
eba079711745f748eb3cfbfc8877b6ddd5035ec3247de23c7c4e6de1b0b00b763cefc90023ca6c3d04d6c1a18da0eff2c9ae594ba0c67b93b1df4b70588e45c4

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
350KB

MD5
e567c5571423f672eb8cf8329d9f2e37

SHA1
28288495edcdb61ef3abde70186ad96e76bd7c83

SHA256
e3af488a3da5ae860c68b61da8b519d6f119b48417fbffe28ba5f60a8712e57d

SHA512
004f4a603fc0910c7734b086e0207c11f009360bd2a2cfff971b622f0322e6f1844faa66e2c57d54b943030433ea1786731d58d1becf1d8ca54656eb5728a7dc

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
350KB

MD5
efa9d495425ca42993b2696838b847b5

SHA1
e8eecf3599dbd047be1bebe71d846b9a2ec175b1

SHA256
21dff4c0538191a69cac374cb3f911cc36d22eed6efc2bc93e2d7120178dfeb9

SHA512
742326f88a29199befaeda6236787a4ec80cb3a5ffc650c75229c8584468f12214267810a62264df3ace0b2a5fa2a298b59b0a64f50f622888ed2d1c855a2a27

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
350KB

MD5
5186c814a4a4e4f2d24660ed3d173028

SHA1
e428ed829d7af7c3469fc86057747e311dee0546

SHA256
5a3d4dfda24cbc75483df0973ec5c467caaea8a0d8fb85742cd89d048b7a6bf5

SHA512
ce9c215197b9cf84b81c0b894b15bddda53387aa55b2bb96f133ba587fcaa47cf28bd2869f1e0250f323ee541c726ecaffee02f184890889ebd0d28e9143fde0

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
350KB

MD5
715b6d9d46dd5c6fcf9a848678d346bc

SHA1
adba12201b0ed4347271c406d84e5da6cc869acb

SHA256
a3495f01c8309140c5fdac564739cae64f2f92eb9e731678587781035e2ad8aa

SHA512
35e259f9da247c07e22f205c3cb23f0e41beb531b4b112972e4c26b1cc2b59cc2dca3ecb6d2def83e72f907e64a4427aac02ec894a3d9251f0589ec4f2f69a74

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
350KB

MD5
7d88e3b2bc1654f306a7f438a267e58c

SHA1
ff5f669442a320487e1a9f720b0e5598207e0975

SHA256
4820395d8a555ad54944da70ad10ba5107d634f067c1acb974b1c05620cb9d58

SHA512
0637a1f2c5bd162b3a8ce2038c8b5a6da5d5d5676a62d8fce102910e16f312e76956aa76c5179f95108516a095edba5f630231d109fc2d4213d27702befd56b6

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
350KB

MD5
945b3b5a58e3653a8e8b2517c76d57d6

SHA1
3a19796cc02f78b33f0388b0e9a912b5813bb631

SHA256
072c3d74c6f92d9b4ecec126640310a606f6d0e830db527884e0ae04a87b01e4

SHA512
2c97545e6c8515e836cf5619128d6ebe9e4d2b6670c8bce778580ef60f8e5916b2b610e50d3b2f3903ee1f3d1fe19546084c0a25c21be86af1bdbf61c46cd944

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
350KB

MD5
0441c39544ddb2af437ecafb96a74f0c

SHA1
1c7eb8837b5e91e7262c3c13ce7aa372991f4004

SHA256
cd4ab5f037dbc319c2884c9ed18ad1dfed6d25d45d9c48b3410190cb30827be5

SHA512
ebdb587aafc8c72e981bd1aa36cf28b9b7b5baa111bdbc5c44a6e8bb9668303a36acd54ea7a6e329d94bf1f3f3687d373a32b3bd4e8d9d0850ce83ade5965e23

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
350KB

MD5
06153ebf81414550e5b9f759b93f9fe7

SHA1
590da8673a6b6a91fdb719b4d15aaa89fa0f21c2

SHA256
11913363b1fb5201900255343d7e17323134f8d83b1dfa60eb1eb8d7b9e42a6c

SHA512
d4f3b458d5c3b7e1b50700acf9fab9a05158355d909c9046ceaee2bf7f9f7f710aecf41414a4675861da43f7e9f0fb4df63415c6c46c7c08ac06ad19c7c42591

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
350KB

MD5
2343e848e99a4323045bd857df4d2947

SHA1
e2cc5c0f007b18218aeead3efea3cba9fb6355b5

SHA256
bd9d8158289f0e622eb92d495fde7547f11bbed6b8dee9d4b6407cfcce035679

SHA512
7a87a0194c9595e47ef3abacf64d221c522da0410add5567aace1a3d05bcd938fcb32b52cce0cd36f5e2d59027c382c0697730e6970e824bdae67766b4d31c13

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
350KB

MD5
b9e691794e786c0d8fa6b119aaca9c74

SHA1
befe8f0e412213d80596de6a309c392ff1ff1ddb

SHA256
b05011afe4d4af9fa63afb63687bdf0645ddcff621ee02c1ee822a8a08776940

SHA512
8e4c136616b2f48202740f797bbb85a9c2f5689d6b690395b4c3955b66d6fd9fe5d417e2e09ec59aad034b55a25f70efd305f2641233329056c2c63089966ed4

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
350KB

MD5
4beb432def14a6362eca1980f2e35d91

SHA1
eeaf8776cebf69cc21c37c0f336d762ee315a1f6

SHA256
711eaa5a272cb981772bb566ba59cac77f9774ca2ac89ae6b5f76db2ed125c2d

SHA512
bce07bcc4bdccbd4625b1c332f6b4273b14b5f8d7224123f9b4b55f0fea50f24f9a6bd709d1b1dab05c72eede37d266c7722919596238f6c43a117233b5f1f43

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
350KB

MD5
4faf8821b99eee6b625056f81e4fdffd

SHA1
aa3cadd7d7cbe63b663e8395fae8673cfe78d8d9

SHA256
9bcae382ce6753b9838773fc2503b168bdd4921a947257de6b12eaffa07236a6

SHA512
78f3b3b503781c2080667da6ccd3efa0c592804e7f0d72c090a22215aede4ae770e30ccce7bf8e92f83ddeb8f229fc0d2883f4cad40ddc35bf9bbfc77410c9e4

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
350KB

MD5
3a1c810b5a11a77117ee264f8026705b

SHA1
864d4721bdf2f579bd81a3474b98848975c483bb

SHA256
243b9e2093870b56e779cbc9277e0185034d18122947d9001cb8cb6873a40149

SHA512
fe5d7ffb0c303421ba9064b61cf3f844325047b36ed4fc8c78758d11efd455496b2f3005f3bfd84bb79bf94699a92c902a7b3042ab5e12984eed1d20c210c2a6

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
350KB

MD5
c68c804c71d6d6aa0733f5bd4c78d7bf

SHA1
3eb5368dc1c9ce7f66df325086d290f17f6b7ddf

SHA256
f04ab395ece70825e44428319fd5166f57e5a0cb73bb34e2cf0d61259d011795

SHA512
112260eb449c5c63c44a293d58013e2d81aacd3e23560084b8c34203cfa3b0a6d906b377a0ea3eb21dc0d559ac3bf3a04d0b6af36c08e3109a9879d5241bdf3f

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
350KB

MD5
9812d138a05cd47dd74f46304371edcd

SHA1
21e5e5cc19e48e1f32658bc6604e490ea2a564a8

SHA256
247530792e9fd2141ee2200d4311222c47e2667e85bbb39daf797bc70a73b00e

SHA512
30cf79f82c61b9c4b3374bc26579ea1923bc739282afb8b739cd9011f942dc2e8d38c615fdc0991e49eab6cafcc52f9a374fd2e14617e9c18ed11db305aee382

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
350KB

MD5
45d48e3ebef8add91368434dd994459d

SHA1
0be1040864da8bd62354464c62bb1ad4bf9cb91f

SHA256
0fd346a20bb5c0792796f4965e9d77b33faf020c1c8dd6066f08686948bd0bcd

SHA512
76f93b4b53a29a03938c8ca21874484c2b28f934d3e7d9b46df79b1d9f69269732ee7ea49fc4b0f4388674d17f12f7001157739891cf4704c92454c10872c943

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
350KB

MD5
ba6a0bd81544937665c0df9021f3779b

SHA1
1d187220af312edaf4242a27bd5539f047142a07

SHA256
8ca811cd6f47912a84bf8fb6729b423037d4ce490736ed1693761498e408e3d0

SHA512
0c057535bd6717c8052d44ba0a4efdbb1da974b9395cb7c08a3859a8bc9506dbc8ed3bd1674c15e6d44667d20296db0b054b512d964c7771eea3e13fd2294ffb

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
350KB

MD5
86f3453975cc8f3bbe2caeb161931f0e

SHA1
a964c08122896bdac5dbbf7633cc765fe94b27f7

SHA256
03ba267d35016fef7c5f1a902275a4553777bb1728e3a922bbfb287a0b71af2e

SHA512
ddcd55f7b5f6fc110f0be85b96f3058bb35a923b2d86accf9f182a04d4628f633bc0b8381c8387c55f5395ae8e6d1210a25f83156812313a3217f62c8c560c35

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
350KB

MD5
3f035675b448b5a0e75114d092ead8ba

SHA1
9bf2cf8b89e4b75603a3628a0441e7382d5c3326

SHA256
27df1ebbc16b828f28bc369bac551ebbd706240deab20cc101d0695d2ef3dc9d

SHA512
aa8294af1774b9b0066440f4461a4d082dedb47c7b7fdbf188bae9bca249739362e33a27b065935e258a9ac1485a0293c4e0aa44d00c2b653c8700979eb1b231

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
350KB

MD5
f8cc7d2f79eb20a4d89914cbc67fbe13

SHA1
76e02acc7c4518c13be039e70455fa24dd5d10b3

SHA256
a07e98f96de3b567abe86c162464d3fb28e8e5f5fba46c0031d6e595da8b6d18

SHA512
24ae79da89e8419279d030bee25ed1bf19bba4dffc1d78b797aac23f3a25dc8fc6b18404640429406296c59b9aaba3b5093b1b8cd7533fefa246edef1b9cd934

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
350KB

MD5
0fd03b90fcb4b65574298629fec342ce

SHA1
f3add27801cb96b048305e4166ce84c229519833

SHA256
17a6566b87c72dfb4522efa33ad564dc3768895436400310cb0aff880658f679

SHA512
7483c5e886e3ddcf9a9bcc3847c3d4839386d5c1c7ae41690a22b4c45c00fbbbf89e56ad67a4e574e172948918fb51160de449352dabd1ed2c31baec8bb40a57

Download Submit
\Windows\SysWOW64\Aoagccfn.exe

Filesize
350KB

MD5
4f48b2291222020d0232b15e4fab0073

SHA1
98871537b655d0e88b7fc840423dcdc304eaed33

SHA256
3663014bb1853776ce5569c8aaafdf649e239429b198e2e527ac3cd21a218200

SHA512
25a7980c1413351300d9ebfd29b26172481de9e53485b240d6c2753ec3086770949e685e1d348a22f75fa5a8d475ba8f954aa3315f14c99e711846c5d7b12ec3

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
350KB

MD5
7f2addb1d2bc3422cdf8cd985e45d8d5

SHA1
763994d7455d5a8aef9156787ab8ad8e259124f0

SHA256
80d771e62bd320d13422a8f26ee3dd968a2c2561ff522a93966983af4b29abba

SHA512
aeebb05b649dfd0170ce4dc9082e4e676a01e91666edbddb85913a2db672780baba4824a55fbde0d5d880e4ed56f0de93f6a788817656d282fc8688eb72c4303

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
350KB

MD5
722d632621604414d62bc837ff544a93

SHA1
e7f11945d4db2846e97a2d19d1a2942d6ff64bcd

SHA256
6b78f2f8f68ed532d2f0c1344a097d3ddc65dd8fcc9a2aca02bdc64f40aec4aa

SHA512
ece4e9d94cd3cb6e01a97e2ffb8bae2ee55ff3824de0c2a5f60d991f8abb2edad9be31d0b21566c2a579f4ec0a2b487dc2705ba428cf7d23d6cfda8f19c42611

Download Submit
\Windows\SysWOW64\Bdqlajbb.exe

Filesize
350KB

MD5
3c651f4befd3958a66eee092e05b8b58

SHA1
4c8311025a02fb1f0b9fe495bfe788aeab6765c0

SHA256
8c7b97a7e802076dbd7370f3a41a7cf897bd02c3bc5f378ec9f6c69b96ed815a

SHA512
55dbcd22e0cad72f0db78111a9781d0b732f415cde874efaf14f32c5c92c6f3fbf5c1e8700ac120dcbb9dfd7ca12a3385588d00f5f2e4c0025623c0532814fcd

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
350KB

MD5
7d0460af22d4ddc4276a10699d5e0050

SHA1
ed2e5a63086ac73c316b30cfc2955127443ed93e

SHA256
9a8c6907f5beb7dcb52d1cfb9c0a2a123a6d8717e7c4773403bbd9af271fd05d

SHA512
e90f190e538585fd065af26ecff8ff7e740f5b21a8f5d5a2ecc08c0498580556d6979bed22e9277b2bbb08a42122f709d7bd85661c54384bdc283d8596dfa2eb

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
350KB

MD5
d21d8c3176e9c837712a6459de196335

SHA1
879a3a96aa72f7d86100658f7e9c0e949ba34d6f

SHA256
0bb6b2fcb7546654602dbd58a6c663632563885bdda356fdef48179d26038a2e

SHA512
135d6b4eecd691fe9c42f31b22b7bfea296927d677233cb66ca2b1dc0dc1354482c8e5c9264aa31253f2063f50796717bf50f34fd028a623d9a445aa76ab8e6a

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
350KB

MD5
4c25550b10a3a7f6bd96e04b7a1bc5ae

SHA1
d4e176c692d30ff6fb2b8c11f93a9ddf3be36f83

SHA256
11740beda5f7b7308eb83bbf99e65cd3612886df233c29eeb6380c49349b4c94

SHA512
7b79b9eb8fd763168040649cf8324abbd6e5e8aec49163388d211dc089fd7c92297162203ed4aee12dd0d3617756bb345e072ccf2c95d9338448af6fb7ee8c6e

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
350KB

MD5
299009947cdff0e5afedfd715046f7ac

SHA1
97107283dbe8896ec267b581db1b5314254ff032

SHA256
8044f84448e0370f3b866337287176699d701b430c822e709f17a4d20b53d5e4

SHA512
9b5f8439f8572be05c3e1765c2ef49a8edb2a8a4226e1754a440a3f9622556b56167ca998bdec21f381e5d160f3b1ce715f0573949a8abb0f4a11b0396dfc871

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
350KB

MD5
eeeec288fa3e85bf40aedcd3c9254f02

SHA1
6497b8536d475fb7651b641ebd60748e15ebe80c

SHA256
8a11d67e0322f6a934e8eb94cabca956592bf46b37fb41e03e27e66bb97c9faf

SHA512
fc83bd1bd6c50a2c69440063582dbdbeb95b7720b5b3b862a672e4291a46bb56aba1cc87a6a25c03a15b5a7b09a6931af313d836d7803abeebe0c297f58ecbf6

Download Submit
memory/112-485-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/112-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/348-459-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/348-12-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/348-13-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/348-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/356-491-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/356-158-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/852-523-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/852-350-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/912-503-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/912-245-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/1016-319-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/1016-517-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1016-318-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/1356-231-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/1356-229-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/1356-215-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1356-499-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1364-235-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/1364-240-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/1364-501-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-330-0x0000000000350000-0x00000000003A9000-memory.dmp

Filesize
356KB

Download
memory/1528-519-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1528-329-0x0000000000350000-0x00000000003A9000-memory.dmp

Filesize
356KB

Download
memory/1528-320-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1616-489-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1652-140-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/1652-132-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1652-487-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1740-495-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1740-198-0x0000000002020000-0x0000000002079000-memory.dmp

Filesize
356KB

Download
memory/1740-190-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1884-469-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1884-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1988-515-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1988-299-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1988-313-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1988-312-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2080-266-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2080-507-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2080-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2080-267-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2104-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2104-48-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2104-473-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2208-513-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2208-289-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2208-298-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/2216-278-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2216-268-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2216-277-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2216-509-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2324-28-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2324-471-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-288-0x00000000002E0000-0x0000000000339000-memory.dmp

Filesize
356KB

Download
memory/2384-287-0x00000000002E0000-0x0000000000339000-memory.dmp

Filesize
356KB

Download
memory/2384-511-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2420-505-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2420-256-0x0000000001F50000-0x0000000001FA9000-memory.dmp

Filesize
356KB

Download
memory/2420-252-0x0000000001F50000-0x0000000001FA9000-memory.dmp

Filesize
356KB

Download
memory/2420-249-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2536-481-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2548-477-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2572-393-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-380-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/2576-529-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2724-479-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2724-88-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2724-80-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2728-362-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2728-376-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/2728-527-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2760-392-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/2760-381-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2768-360-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2768-361-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2768-351-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2768-525-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2784-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2784-62-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/2784-475-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2832-331-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2832-341-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2832-521-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2832-340-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2836-493-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2836-185-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/2836-186-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/2836-171-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2928-497-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2928-200-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2928-213-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2928-212-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/3016-106-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3016-483-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads