8c1f00958fa7ba3dcb49289485690ae54f3ec7e71913d709ea6b992863b1adc7

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Size

80KB
MD5

2fd15f2c3ad4d590b2afbf1bea06a530
SHA1

2413f9e9e9ddf63793ea77b2f89c31a3f38c4019
SHA256

8c1f00958fa7ba3dcb49289485690ae54f3ec7e71913d709ea6b992863b1adc7
SHA512

cdd18c46f4313c047ca1fe09aeaf55a5077fa6cee94c5f473b74ab9ce2ff888889213e79ff432acdd37831eb8bca61fa6d1d14b04c8b48fc04724f2183f9ebdc
SSDEEP

1536:tv5jvrfp4czE0sXKdSYUoY705YMkhohBE8VGh:PxBzts6xUjAUAEQGh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe

Executes dropped EXE 24 IoCs

pid	Process
1980	Bfdodjhm.exe
2920	Bgcknmop.exe
4368	Bnmcjg32.exe
1440	Bcjlcn32.exe
3708	Bjddphlq.exe
3176	Bclhhnca.exe
4384	Bmemac32.exe
1952	Chjaol32.exe
3684	Cenahpha.exe
1684	Chmndlge.exe
624	Chokikeb.exe
3156	Cnicfe32.exe
4032	Cjpckf32.exe
2544	Cdhhdlid.exe
2404	Cnnlaehj.exe
3236	Dfiafg32.exe
4180	Dmcibama.exe
4112	Ddmaok32.exe
3524	Dobfld32.exe
2744	Ddonekbl.exe
4644	Dodbbdbb.exe
956	Dogogcpo.exe
4608	Deagdn32.exe
2100	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4420	2100	WerFault.exe	109

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1980	2480	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe	85
PID 2480 wrote to memory of 1980	2480	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe	85
PID 2480 wrote to memory of 1980	2480	2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe	85
PID 1980 wrote to memory of 2920	1980	Bfdodjhm.exe	86
PID 1980 wrote to memory of 2920	1980	Bfdodjhm.exe	86
PID 1980 wrote to memory of 2920	1980	Bfdodjhm.exe	86
PID 2920 wrote to memory of 4368	2920	Bgcknmop.exe	87
PID 2920 wrote to memory of 4368	2920	Bgcknmop.exe	87
PID 2920 wrote to memory of 4368	2920	Bgcknmop.exe	87
PID 4368 wrote to memory of 1440	4368	Bnmcjg32.exe	88
PID 4368 wrote to memory of 1440	4368	Bnmcjg32.exe	88
PID 4368 wrote to memory of 1440	4368	Bnmcjg32.exe	88
PID 1440 wrote to memory of 3708	1440	Bcjlcn32.exe	89
PID 1440 wrote to memory of 3708	1440	Bcjlcn32.exe	89
PID 1440 wrote to memory of 3708	1440	Bcjlcn32.exe	89
PID 3708 wrote to memory of 3176	3708	Bjddphlq.exe	90
PID 3708 wrote to memory of 3176	3708	Bjddphlq.exe	90
PID 3708 wrote to memory of 3176	3708	Bjddphlq.exe	90
PID 3176 wrote to memory of 4384	3176	Bclhhnca.exe	91
PID 3176 wrote to memory of 4384	3176	Bclhhnca.exe	91
PID 3176 wrote to memory of 4384	3176	Bclhhnca.exe	91
PID 4384 wrote to memory of 1952	4384	Bmemac32.exe	92
PID 4384 wrote to memory of 1952	4384	Bmemac32.exe	92
PID 4384 wrote to memory of 1952	4384	Bmemac32.exe	92
PID 1952 wrote to memory of 3684	1952	Chjaol32.exe	94
PID 1952 wrote to memory of 3684	1952	Chjaol32.exe	94
PID 1952 wrote to memory of 3684	1952	Chjaol32.exe	94
PID 3684 wrote to memory of 1684	3684	Cenahpha.exe	95
PID 3684 wrote to memory of 1684	3684	Cenahpha.exe	95
PID 3684 wrote to memory of 1684	3684	Cenahpha.exe	95
PID 1684 wrote to memory of 624	1684	Chmndlge.exe	96
PID 1684 wrote to memory of 624	1684	Chmndlge.exe	96
PID 1684 wrote to memory of 624	1684	Chmndlge.exe	96
PID 624 wrote to memory of 3156	624	Chokikeb.exe	97
PID 624 wrote to memory of 3156	624	Chokikeb.exe	97
PID 624 wrote to memory of 3156	624	Chokikeb.exe	97
PID 3156 wrote to memory of 4032	3156	Cnicfe32.exe	98
PID 3156 wrote to memory of 4032	3156	Cnicfe32.exe	98
PID 3156 wrote to memory of 4032	3156	Cnicfe32.exe	98
PID 4032 wrote to memory of 2544	4032	Cjpckf32.exe	99
PID 4032 wrote to memory of 2544	4032	Cjpckf32.exe	99
PID 4032 wrote to memory of 2544	4032	Cjpckf32.exe	99
PID 2544 wrote to memory of 2404	2544	Cdhhdlid.exe	100
PID 2544 wrote to memory of 2404	2544	Cdhhdlid.exe	100
PID 2544 wrote to memory of 2404	2544	Cdhhdlid.exe	100
PID 2404 wrote to memory of 3236	2404	Cnnlaehj.exe	101
PID 2404 wrote to memory of 3236	2404	Cnnlaehj.exe	101
PID 2404 wrote to memory of 3236	2404	Cnnlaehj.exe	101
PID 3236 wrote to memory of 4180	3236	Dfiafg32.exe	102
PID 3236 wrote to memory of 4180	3236	Dfiafg32.exe	102
PID 3236 wrote to memory of 4180	3236	Dfiafg32.exe	102
PID 4180 wrote to memory of 4112	4180	Dmcibama.exe	103
PID 4180 wrote to memory of 4112	4180	Dmcibama.exe	103
PID 4180 wrote to memory of 4112	4180	Dmcibama.exe	103
PID 4112 wrote to memory of 3524	4112	Ddmaok32.exe	104
PID 4112 wrote to memory of 3524	4112	Ddmaok32.exe	104
PID 4112 wrote to memory of 3524	4112	Ddmaok32.exe	104
PID 3524 wrote to memory of 2744	3524	Dobfld32.exe	105
PID 3524 wrote to memory of 2744	3524	Dobfld32.exe	105
PID 3524 wrote to memory of 2744	3524	Dobfld32.exe	105
PID 2744 wrote to memory of 4644	2744	Ddonekbl.exe	106
PID 2744 wrote to memory of 4644	2744	Ddonekbl.exe	106
PID 2744 wrote to memory of 4644	2744	Ddonekbl.exe	106
PID 4644 wrote to memory of 956	4644	Dodbbdbb.exe	107

C:\Users\Admin\AppData\Local\Temp\2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2fd15f2c3ad4d590b2afbf1bea06a530_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\Bfdodjhm.exe
  C:\Windows\system32\Bfdodjhm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Bgcknmop.exe
    C:\Windows\system32\Bgcknmop.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Bnmcjg32.exe
      C:\Windows\system32\Bnmcjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        25⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 396
        26⤵
        Program crash
        
        PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2100 -ip 2100
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
7a307e9b6c264c479cd8595df3ff43fa

SHA1
4467e5f2a2a5ef0c93b42ff16cff924e136f6f45

SHA256
c5fd7c3da102cf9fec009270dfc5b6991a9777b8e7e499a7a4af7a00a39aaa9a

SHA512
0065550b269971c0a0960dd37c05150d16ea9020a213a974468b536c298d6d81d78f6ab6911e8b599ac1deb2923e58b5844cc66152cf28283b6f3cab8596f66b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
7a307e9b6c264c479cd8595df3ff43fa

SHA1
4467e5f2a2a5ef0c93b42ff16cff924e136f6f45

SHA256
c5fd7c3da102cf9fec009270dfc5b6991a9777b8e7e499a7a4af7a00a39aaa9a

SHA512
0065550b269971c0a0960dd37c05150d16ea9020a213a974468b536c298d6d81d78f6ab6911e8b599ac1deb2923e58b5844cc66152cf28283b6f3cab8596f66b

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
80KB

MD5
3f9881303f3cef919c25bf250268a3b8

SHA1
45d0189f0388b74d16b209783235d92ffcdec930

SHA256
7ed275649f76109e8e9d36ba1ef3f770c4904575aa0269c35fd8d6e0d9ab55a1

SHA512
39bbad4e5c8fd99724c34829a490e6708f55d5ec97fe29a90a1db22688db7d5ed7cd5922b8df0724c289c35c228cdd710b6aa7cf55344b392a98017e87ed2da8

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
80KB

MD5
3f9881303f3cef919c25bf250268a3b8

SHA1
45d0189f0388b74d16b209783235d92ffcdec930

SHA256
7ed275649f76109e8e9d36ba1ef3f770c4904575aa0269c35fd8d6e0d9ab55a1

SHA512
39bbad4e5c8fd99724c34829a490e6708f55d5ec97fe29a90a1db22688db7d5ed7cd5922b8df0724c289c35c228cdd710b6aa7cf55344b392a98017e87ed2da8

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
7378f643513e6bfa8cd820e3adc792b9

SHA1
5da24c031768d01a3b21f220aa858024080fae78

SHA256
ff99349bb6cf0c5926526a33a2eb7fe046cc3ddade5c7660fb8eab27ffe2429a

SHA512
338ba3c2d6ba60c4fea3c566aa76d9a34017d5a43ad52fb279cc4e1b300d0cdce65bf2a34714dfc4586a6fc708db9b77e63c396c425159f116fbf5fa647c1287

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
7378f643513e6bfa8cd820e3adc792b9

SHA1
5da24c031768d01a3b21f220aa858024080fae78

SHA256
ff99349bb6cf0c5926526a33a2eb7fe046cc3ddade5c7660fb8eab27ffe2429a

SHA512
338ba3c2d6ba60c4fea3c566aa76d9a34017d5a43ad52fb279cc4e1b300d0cdce65bf2a34714dfc4586a6fc708db9b77e63c396c425159f116fbf5fa647c1287

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
2e0b9fbcb98a4887626f0ea2a8c459cb

SHA1
c944fe3ca64ffffc2937d56c769d3d79efa84b43

SHA256
0950da742e553af0182836e7c80af9cf91f9d11cd2ff1dea82df8b4fa067e4fe

SHA512
01f5d694dd68e6f1e53774207cf445298613ea3b61951d1d4130b538dc579862a6037afec38ef5a48fcfcd83bde83e3d7c383faf9ffd1785e246e0353413c666

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
2e0b9fbcb98a4887626f0ea2a8c459cb

SHA1
c944fe3ca64ffffc2937d56c769d3d79efa84b43

SHA256
0950da742e553af0182836e7c80af9cf91f9d11cd2ff1dea82df8b4fa067e4fe

SHA512
01f5d694dd68e6f1e53774207cf445298613ea3b61951d1d4130b538dc579862a6037afec38ef5a48fcfcd83bde83e3d7c383faf9ffd1785e246e0353413c666

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
80KB

MD5
ad96d0465c02eea0fdf1cf1465d05ce7

SHA1
90580f38cbd1fc11147461b20835f095db176f91

SHA256
7d085a1e013a025de8d7db76085a938a53dd0de828acd91debc8d83863bc0a17

SHA512
295777b9c030f2f635308949486ac023ab9c823c1e69d5aacdb8849aab89ce3da64cd374d8dda1df4382b199dad92096884a77b865a099f333528a66d166e6c2

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
80KB

MD5
ad96d0465c02eea0fdf1cf1465d05ce7

SHA1
90580f38cbd1fc11147461b20835f095db176f91

SHA256
7d085a1e013a025de8d7db76085a938a53dd0de828acd91debc8d83863bc0a17

SHA512
295777b9c030f2f635308949486ac023ab9c823c1e69d5aacdb8849aab89ce3da64cd374d8dda1df4382b199dad92096884a77b865a099f333528a66d166e6c2

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
80KB

MD5
d2bd036470f30db4a8bd7cc00b92be39

SHA1
122acb83b058f3eabad26883793068233852deba

SHA256
7d02412e45ca6d3cd5e9e74a48d631f3a604223aafe1bcf62146d0c78add4c81

SHA512
1ae4109b1078fb52ccf760b2887cde7683a84a4a7d370172a5171972ea3c2e5283489f0597870a376a12d59d829ddb99837f5b8a9468f3a97b4a164055c6a497

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
80KB

MD5
d2bd036470f30db4a8bd7cc00b92be39

SHA1
122acb83b058f3eabad26883793068233852deba

SHA256
7d02412e45ca6d3cd5e9e74a48d631f3a604223aafe1bcf62146d0c78add4c81

SHA512
1ae4109b1078fb52ccf760b2887cde7683a84a4a7d370172a5171972ea3c2e5283489f0597870a376a12d59d829ddb99837f5b8a9468f3a97b4a164055c6a497

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
80KB

MD5
8838c7747c9b261dd2c74811af9c2f89

SHA1
0d4a0235266e24f8e24fd8501e6e95ded00c48aa

SHA256
1f3f52fc1dec51d50b3f390b074e1dced3a09023f11dafcf3d58426217b5f2c0

SHA512
9c2f9b5e827716bebbf09fda964f3b96a2823b07cd579b336b77dd76b410297bd0ea33f3518cd4beee15d97422e0a0fd98fd8d3a231cb88bbca6d9467b59a523

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
80KB

MD5
8838c7747c9b261dd2c74811af9c2f89

SHA1
0d4a0235266e24f8e24fd8501e6e95ded00c48aa

SHA256
1f3f52fc1dec51d50b3f390b074e1dced3a09023f11dafcf3d58426217b5f2c0

SHA512
9c2f9b5e827716bebbf09fda964f3b96a2823b07cd579b336b77dd76b410297bd0ea33f3518cd4beee15d97422e0a0fd98fd8d3a231cb88bbca6d9467b59a523

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
80KB

MD5
082bf2ee298ba1035506be8c253cff07

SHA1
9406cbc06e9c117105b691638da17c5def967cb4

SHA256
b5aad2cdb6e3e844ce3c9faae203e0a050d515bc1e29a144d86dbaec8762b444

SHA512
5ef09e5b491ad6c6366b9483de6271c05681e8b44b01d4bd3e75ba56732d2d647341ecfb4e468949b0faf3816ff48ca72094adbcff23559f670891032a018019

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
80KB

MD5
082bf2ee298ba1035506be8c253cff07

SHA1
9406cbc06e9c117105b691638da17c5def967cb4

SHA256
b5aad2cdb6e3e844ce3c9faae203e0a050d515bc1e29a144d86dbaec8762b444

SHA512
5ef09e5b491ad6c6366b9483de6271c05681e8b44b01d4bd3e75ba56732d2d647341ecfb4e468949b0faf3816ff48ca72094adbcff23559f670891032a018019

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
80KB

MD5
a59bf47323c8ef05b336e987c5cb533d

SHA1
86d01e3731f2126442e39ab127694f80ee965b49

SHA256
f71183a179f177caa60a7499b3d0ba9505d67aa0d2cf64bb5c15796acbcb027a

SHA512
056f9d15e6b053bdfa88c7a0f15e0c620a4b011ea162d19b178ec671f5663827c74bc701b030ec1a352919090f89e88f00c6cbc250ad258b0cd636cc4436220f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
80KB

MD5
a59bf47323c8ef05b336e987c5cb533d

SHA1
86d01e3731f2126442e39ab127694f80ee965b49

SHA256
f71183a179f177caa60a7499b3d0ba9505d67aa0d2cf64bb5c15796acbcb027a

SHA512
056f9d15e6b053bdfa88c7a0f15e0c620a4b011ea162d19b178ec671f5663827c74bc701b030ec1a352919090f89e88f00c6cbc250ad258b0cd636cc4436220f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
80KB

MD5
c3a15ced3d6b7d47cafca2e690148bae

SHA1
772e76929c0af3f0854f2027798dabba7a8d7ce9

SHA256
7731bd71dfd39a265471f1e3457765afcffb4eebdf1b454a76a5ec9a9ec7919b

SHA512
3f6c96f7281e38d0d06c9e4ed1951c57a27ae13ab3877f2e9051d75305c586ccb073acef5476ee627338ae4523a8bc6c7f7dc5d5412c18048c309c72ab885ac3

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
80KB

MD5
c3a15ced3d6b7d47cafca2e690148bae

SHA1
772e76929c0af3f0854f2027798dabba7a8d7ce9

SHA256
7731bd71dfd39a265471f1e3457765afcffb4eebdf1b454a76a5ec9a9ec7919b

SHA512
3f6c96f7281e38d0d06c9e4ed1951c57a27ae13ab3877f2e9051d75305c586ccb073acef5476ee627338ae4523a8bc6c7f7dc5d5412c18048c309c72ab885ac3

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
e73684ffefed48f8d02dd6d472235123

SHA1
e93d4751975ee8556621da15b47a4e554936c278

SHA256
b0f54a7e455971c2ab09c140257611b2211e9636c2e1ebe71b181495b37e4d54

SHA512
bca821be7052cb3d5502117029ac1239b59e468c789b8a7e6b2c832a0d61e90adadbdc9cae63d638527ff5b9244e133301c09b5ee815f491e597d2757f3c6699

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
e73684ffefed48f8d02dd6d472235123

SHA1
e93d4751975ee8556621da15b47a4e554936c278

SHA256
b0f54a7e455971c2ab09c140257611b2211e9636c2e1ebe71b181495b37e4d54

SHA512
bca821be7052cb3d5502117029ac1239b59e468c789b8a7e6b2c832a0d61e90adadbdc9cae63d638527ff5b9244e133301c09b5ee815f491e597d2757f3c6699

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
80KB

MD5
60c2985c6ece7bbcd630b00324c283bc

SHA1
7d8da2426c182c171d1a61f512c4bfb464d87a14

SHA256
9f9a5804a222bad65b67e53b222d2d0e44c6f1051713a4b337f7b2b69409c9e4

SHA512
ceafab3cf9fdcf650f45bc904590197b787ba388ba26a609c0aa20ec0f2e4e56000a236d9a7644be0515cb9403310964f0469904dd0afbba4f2443fbbd341814

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
80KB

MD5
60c2985c6ece7bbcd630b00324c283bc

SHA1
7d8da2426c182c171d1a61f512c4bfb464d87a14

SHA256
9f9a5804a222bad65b67e53b222d2d0e44c6f1051713a4b337f7b2b69409c9e4

SHA512
ceafab3cf9fdcf650f45bc904590197b787ba388ba26a609c0aa20ec0f2e4e56000a236d9a7644be0515cb9403310964f0469904dd0afbba4f2443fbbd341814

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
c8e3ef60bc3a6f64e1b403729f693cfc

SHA1
4b1cce1d048d256bbb2adc2c6d22849cfc8c146c

SHA256
2578c4a083cc7eb0ccf5ab58d38e306806698f7a753e2ed583f917175f2f8d69

SHA512
58e54e869dfb63681ed6fcc2b5e1c47848c0004acf45b6ffe2c4817206ebe01751143dcad57cf290af4906017171771b307bb1c85da456cd26eed678a1c7125f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
c8e3ef60bc3a6f64e1b403729f693cfc

SHA1
4b1cce1d048d256bbb2adc2c6d22849cfc8c146c

SHA256
2578c4a083cc7eb0ccf5ab58d38e306806698f7a753e2ed583f917175f2f8d69

SHA512
58e54e869dfb63681ed6fcc2b5e1c47848c0004acf45b6ffe2c4817206ebe01751143dcad57cf290af4906017171771b307bb1c85da456cd26eed678a1c7125f

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
80KB

MD5
24ca5a2d32b4d058c327764a78908f23

SHA1
76105aecd1b0256f2857c295d7538153ab3e941c

SHA256
776c8f34f9ab861500951eddc2d53b4218646d2c7ed1628db9442d7fb28c4a0b

SHA512
98c7b28a6e2c0332b313f2d55386ab1ec018412243717e56e985eb93a8e0dd4a58aaa07111efbc63f119342af43911a94b9134ac9f6b6989d1f95a54fc76dc59

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
80KB

MD5
24ca5a2d32b4d058c327764a78908f23

SHA1
76105aecd1b0256f2857c295d7538153ab3e941c

SHA256
776c8f34f9ab861500951eddc2d53b4218646d2c7ed1628db9442d7fb28c4a0b

SHA512
98c7b28a6e2c0332b313f2d55386ab1ec018412243717e56e985eb93a8e0dd4a58aaa07111efbc63f119342af43911a94b9134ac9f6b6989d1f95a54fc76dc59

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
80KB

MD5
24122e619008443d712275e2289328c2

SHA1
45dd9423214d4b934cb1a4f72f12812b0329311b

SHA256
d3b6134bb92e257869698508b8a9e0adbcadc8a727842de46fa45e6e12c6ad91

SHA512
bfd235d5c13a174a83d34c3d0450b5f5d083c0884c697e6f085493d187d358710c7c9f3cf1da886ebeab965d87833c7af4e671b0d99c22b43d505e2548c4122c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
80KB

MD5
24122e619008443d712275e2289328c2

SHA1
45dd9423214d4b934cb1a4f72f12812b0329311b

SHA256
d3b6134bb92e257869698508b8a9e0adbcadc8a727842de46fa45e6e12c6ad91

SHA512
bfd235d5c13a174a83d34c3d0450b5f5d083c0884c697e6f085493d187d358710c7c9f3cf1da886ebeab965d87833c7af4e671b0d99c22b43d505e2548c4122c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
f5d81eb018239df591e5a890469828fd

SHA1
e753bd70632be4017c23ccfd6afa23074446cc08

SHA256
4df06d1ea351774342ba4a23aef5e4ce4da87c3f957ab95fe93fee0ecb8b9c3b

SHA512
7c19c4959c6d87b5e168a4949ce705d8d990eb54642bd5e5e453c73ce851bbb4c1acbc49b574794f0411554fd2cb70d13f7307dd25072028318eb88d8b1038c3

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
f5d81eb018239df591e5a890469828fd

SHA1
e753bd70632be4017c23ccfd6afa23074446cc08

SHA256
4df06d1ea351774342ba4a23aef5e4ce4da87c3f957ab95fe93fee0ecb8b9c3b

SHA512
7c19c4959c6d87b5e168a4949ce705d8d990eb54642bd5e5e453c73ce851bbb4c1acbc49b574794f0411554fd2cb70d13f7307dd25072028318eb88d8b1038c3

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
80KB

MD5
b7adf31af61ea3e3c7015b9f1aee8725

SHA1
2a9da992b3e25f219a7752676e43381c6c60f8ce

SHA256
9a35866620aae75968bde95dc51cfba4a201a0fa24005874455ec6c55db6f228

SHA512
faef5739758f5ac784b1fbb4c26079dc818eef6fa70a5271a64807654d249e5a3b8385a86f13b07edf28c982adfebc6f58a9ecac975c2849bb9181e76b4dd18b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
80KB

MD5
b7adf31af61ea3e3c7015b9f1aee8725

SHA1
2a9da992b3e25f219a7752676e43381c6c60f8ce

SHA256
9a35866620aae75968bde95dc51cfba4a201a0fa24005874455ec6c55db6f228

SHA512
faef5739758f5ac784b1fbb4c26079dc818eef6fa70a5271a64807654d249e5a3b8385a86f13b07edf28c982adfebc6f58a9ecac975c2849bb9181e76b4dd18b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
3df7f723106112ba5d5e1995f734abc8

SHA1
fc5cc6decd6451dd84e9481fe998cd609f8b455f

SHA256
a47efe86a6a5da5c13a5bb546aeb21b8adb068fe85c3b4bf993ae0f4fdd59769

SHA512
4aadd845df4be715052564b4f3feef59f2fcef5556852aa84953ed2a5bee64df9319f3302a92404556fe72f0558d3a17ee3371f58461ade340a2c09e29665c25

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
3df7f723106112ba5d5e1995f734abc8

SHA1
fc5cc6decd6451dd84e9481fe998cd609f8b455f

SHA256
a47efe86a6a5da5c13a5bb546aeb21b8adb068fe85c3b4bf993ae0f4fdd59769

SHA512
4aadd845df4be715052564b4f3feef59f2fcef5556852aa84953ed2a5bee64df9319f3302a92404556fe72f0558d3a17ee3371f58461ade340a2c09e29665c25

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
054509ff3b6544cd6e8bd9aa0e74618a

SHA1
64c3eb0a6c16a9b0fdcadfb502d76173929cc250

SHA256
45682323eea4c88087ee3b1e8b4e4a51de21e2448e6946030a0f41b7cd47ee03

SHA512
0edec7d2fe01ef76cd1ebad956865d46030609a3cf287e3af7c03436edf2fd79dd609dac654e64c65f405be2c6874150dcf7f59975a7488f5a8b08f3ce88693b

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
054509ff3b6544cd6e8bd9aa0e74618a

SHA1
64c3eb0a6c16a9b0fdcadfb502d76173929cc250

SHA256
45682323eea4c88087ee3b1e8b4e4a51de21e2448e6946030a0f41b7cd47ee03

SHA512
0edec7d2fe01ef76cd1ebad956865d46030609a3cf287e3af7c03436edf2fd79dd609dac654e64c65f405be2c6874150dcf7f59975a7488f5a8b08f3ce88693b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
765cf80ffd266ebdb7835eec53dcbb32

SHA1
379a4f672dd87059f96aba1e84117838d9c25806

SHA256
0a3036db5fd5b3dc62775466bb2f1319c21b4338f8bcd185fc291a9ba0307e4a

SHA512
3ddf8f157a5ba06b7eedef8ea29b8290345ea8606062edb8ebe9cae533e650089b7ed0b7f1fb600a30fa5290fc08156a6c404310c9ce844aae6d527a0407fa6a

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
765cf80ffd266ebdb7835eec53dcbb32

SHA1
379a4f672dd87059f96aba1e84117838d9c25806

SHA256
0a3036db5fd5b3dc62775466bb2f1319c21b4338f8bcd185fc291a9ba0307e4a

SHA512
3ddf8f157a5ba06b7eedef8ea29b8290345ea8606062edb8ebe9cae533e650089b7ed0b7f1fb600a30fa5290fc08156a6c404310c9ce844aae6d527a0407fa6a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
34a3b5f4da60a8d1da5d01062e5399ab

SHA1
e60494970401c87bf7a00386bb6518896b16fc4a

SHA256
f842a6b456861c3a36c117d63d5edccb51201e434ac632a8372aa756f6e90eb4

SHA512
9455b7ebf4219324dc516304a9a2203b3739eed611926c416150550921c7c5a836126cf4078f18b3dcc94261c14b9d4021b79f394b0ecfbcc5c19ad3c99e02fe

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
34a3b5f4da60a8d1da5d01062e5399ab

SHA1
e60494970401c87bf7a00386bb6518896b16fc4a

SHA256
f842a6b456861c3a36c117d63d5edccb51201e434ac632a8372aa756f6e90eb4

SHA512
9455b7ebf4219324dc516304a9a2203b3739eed611926c416150550921c7c5a836126cf4078f18b3dcc94261c14b9d4021b79f394b0ecfbcc5c19ad3c99e02fe

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
80KB

MD5
ed58981c299cfef1b493185996ad6ca8

SHA1
880f70c4ed917184865733a5d697c432cecad955

SHA256
7f3d2cb0f05e469dce1edaa825a6f647ace04e3b486ccf920eadde8b9552f665

SHA512
11e80c5092a337f3e65d510ef73c6e5ca5805db1de83031c40f79b510cf21753731d1aabf3faca931c82d3257c09331c0f11cb7cfa72b7e7b606cb2126410852

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
80KB

MD5
ed58981c299cfef1b493185996ad6ca8

SHA1
880f70c4ed917184865733a5d697c432cecad955

SHA256
7f3d2cb0f05e469dce1edaa825a6f647ace04e3b486ccf920eadde8b9552f665

SHA512
11e80c5092a337f3e65d510ef73c6e5ca5805db1de83031c40f79b510cf21753731d1aabf3faca931c82d3257c09331c0f11cb7cfa72b7e7b606cb2126410852

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
80KB

MD5
f2c495b7ed1748ccec7ea92bf75b552b

SHA1
980361a6a0e3a89f973f77f1422dcba98fea9383

SHA256
fa92dc378f599cb495049a05909213d0cfeb19a6cc9aa1ed9bc134578f180911

SHA512
fc3ce74327211f396231d400b54336e251fba2b7b87e6227d14caa1f1a9758630bc129e2bfbf038c289150bd6b7c8591ff744e21084b01131d49e80fa49f4f96

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
80KB

MD5
f2c495b7ed1748ccec7ea92bf75b552b

SHA1
980361a6a0e3a89f973f77f1422dcba98fea9383

SHA256
fa92dc378f599cb495049a05909213d0cfeb19a6cc9aa1ed9bc134578f180911

SHA512
fc3ce74327211f396231d400b54336e251fba2b7b87e6227d14caa1f1a9758630bc129e2bfbf038c289150bd6b7c8591ff744e21084b01131d49e80fa49f4f96

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
7ea40cbd5b59dc04d1d55adb84014322

SHA1
9602a2a54c40994998ba58b5deecc0a9bedc4b79

SHA256
b7ebf9c21a138ff13bef2bea7479a6ab285ffe50d0d19da9eecd5b5141191853

SHA512
f972705d73fd42062a20fbcd79d7fbe7f0ee11ffc4dd0b5394279687456c7e62e30c662beee4c4b15539f63343ad38436f13b981de23e92fa744812664773c83

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
7ea40cbd5b59dc04d1d55adb84014322

SHA1
9602a2a54c40994998ba58b5deecc0a9bedc4b79

SHA256
b7ebf9c21a138ff13bef2bea7479a6ab285ffe50d0d19da9eecd5b5141191853

SHA512
f972705d73fd42062a20fbcd79d7fbe7f0ee11ffc4dd0b5394279687456c7e62e30c662beee4c4b15539f63343ad38436f13b981de23e92fa744812664773c83

Download Submit
memory/624-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads