817ce257e750a0637965f8dbaeff4db5c4f92f4d30fead563eb6183029f92ded

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2023 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e570fe9b3573adb8b68dac0d9630e1cb.exe
Size

120KB
MD5

e570fe9b3573adb8b68dac0d9630e1cb
SHA1

7b77e9d0659642941da353f6370961865c52e5a6
SHA256

817ce257e750a0637965f8dbaeff4db5c4f92f4d30fead563eb6183029f92ded
SHA512

7d06928404db6c5725ecdcd2fcd04fa5175458f972360d73b7876ca0fb57f51002bd659f12955c3e515dfe02191d1081877e5a79fb0035725cc76dd2323763d4
SSDEEP

1536:JkamhZBFQvY3UiW+qHWK3+Y2d1DNZdWcToxpT2LD9TAjKw4lIt8AgH2v9jw2LhU:JkfLklQlYYDNZz+pwD9UKw4lIGH4dW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e570fe9b3573adb8b68dac0d9630e1cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e570fe9b3573adb8b68dac0d9630e1cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe

Executes dropped EXE 23 IoCs

pid	Process
2476	Aepefb32.exe
3716	Bfabnjjp.exe
1092	Bebblb32.exe
1372	Bmngqdpj.exe
1288	Bchomn32.exe
4484	Bnmcjg32.exe
1080	Bgehcmmm.exe
860	Bmbplc32.exe
4664	Bhhdil32.exe
4744	Cjinkg32.exe
3328	Cfpnph32.exe
4120	Cfbkeh32.exe
1668	Ceckcp32.exe
2864	Cjpckf32.exe
2768	Cajlhqjp.exe
2236	Cjbpaf32.exe
4656	Ddjejl32.exe
1328	Dmcibama.exe
2128	Dhhnpjmh.exe
4052	Daqbip32.exe
4992	Deokon32.exe
3096	Dmjocp32.exe
4060	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	e570fe9b3573adb8b68dac0d9630e1cb.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	e570fe9b3573adb8b68dac0d9630e1cb.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4716	4060	WerFault.exe	108

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e570fe9b3573adb8b68dac0d9630e1cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	e570fe9b3573adb8b68dac0d9630e1cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e570fe9b3573adb8b68dac0d9630e1cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e570fe9b3573adb8b68dac0d9630e1cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e570fe9b3573adb8b68dac0d9630e1cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e570fe9b3573adb8b68dac0d9630e1cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 2476	4404	e570fe9b3573adb8b68dac0d9630e1cb.exe	83
PID 4404 wrote to memory of 2476	4404	e570fe9b3573adb8b68dac0d9630e1cb.exe	83
PID 4404 wrote to memory of 2476	4404	e570fe9b3573adb8b68dac0d9630e1cb.exe	83
PID 2476 wrote to memory of 3716	2476	Aepefb32.exe	84
PID 2476 wrote to memory of 3716	2476	Aepefb32.exe	84
PID 2476 wrote to memory of 3716	2476	Aepefb32.exe	84
PID 3716 wrote to memory of 1092	3716	Bfabnjjp.exe	85
PID 3716 wrote to memory of 1092	3716	Bfabnjjp.exe	85
PID 3716 wrote to memory of 1092	3716	Bfabnjjp.exe	85
PID 1092 wrote to memory of 1372	1092	Bebblb32.exe	86
PID 1092 wrote to memory of 1372	1092	Bebblb32.exe	86
PID 1092 wrote to memory of 1372	1092	Bebblb32.exe	86
PID 1372 wrote to memory of 1288	1372	Bmngqdpj.exe	87
PID 1372 wrote to memory of 1288	1372	Bmngqdpj.exe	87
PID 1372 wrote to memory of 1288	1372	Bmngqdpj.exe	87
PID 1288 wrote to memory of 4484	1288	Bchomn32.exe	88
PID 1288 wrote to memory of 4484	1288	Bchomn32.exe	88
PID 1288 wrote to memory of 4484	1288	Bchomn32.exe	88
PID 4484 wrote to memory of 1080	4484	Bnmcjg32.exe	90
PID 4484 wrote to memory of 1080	4484	Bnmcjg32.exe	90
PID 4484 wrote to memory of 1080	4484	Bnmcjg32.exe	90
PID 1080 wrote to memory of 860	1080	Bgehcmmm.exe	91
PID 1080 wrote to memory of 860	1080	Bgehcmmm.exe	91
PID 1080 wrote to memory of 860	1080	Bgehcmmm.exe	91
PID 860 wrote to memory of 4664	860	Bmbplc32.exe	92
PID 860 wrote to memory of 4664	860	Bmbplc32.exe	92
PID 860 wrote to memory of 4664	860	Bmbplc32.exe	92
PID 4664 wrote to memory of 4744	4664	Bhhdil32.exe	93
PID 4664 wrote to memory of 4744	4664	Bhhdil32.exe	93
PID 4664 wrote to memory of 4744	4664	Bhhdil32.exe	93
PID 4744 wrote to memory of 3328	4744	Cjinkg32.exe	94
PID 4744 wrote to memory of 3328	4744	Cjinkg32.exe	94
PID 4744 wrote to memory of 3328	4744	Cjinkg32.exe	94
PID 3328 wrote to memory of 4120	3328	Cfpnph32.exe	95
PID 3328 wrote to memory of 4120	3328	Cfpnph32.exe	95
PID 3328 wrote to memory of 4120	3328	Cfpnph32.exe	95
PID 4120 wrote to memory of 1668	4120	Cfbkeh32.exe	97
PID 4120 wrote to memory of 1668	4120	Cfbkeh32.exe	97
PID 4120 wrote to memory of 1668	4120	Cfbkeh32.exe	97
PID 1668 wrote to memory of 2864	1668	Ceckcp32.exe	98
PID 1668 wrote to memory of 2864	1668	Ceckcp32.exe	98
PID 1668 wrote to memory of 2864	1668	Ceckcp32.exe	98
PID 2864 wrote to memory of 2768	2864	Cjpckf32.exe	99
PID 2864 wrote to memory of 2768	2864	Cjpckf32.exe	99
PID 2864 wrote to memory of 2768	2864	Cjpckf32.exe	99
PID 2768 wrote to memory of 2236	2768	Cajlhqjp.exe	100
PID 2768 wrote to memory of 2236	2768	Cajlhqjp.exe	100
PID 2768 wrote to memory of 2236	2768	Cajlhqjp.exe	100
PID 2236 wrote to memory of 4656	2236	Cjbpaf32.exe	101
PID 2236 wrote to memory of 4656	2236	Cjbpaf32.exe	101
PID 2236 wrote to memory of 4656	2236	Cjbpaf32.exe	101
PID 4656 wrote to memory of 1328	4656	Ddjejl32.exe	102
PID 4656 wrote to memory of 1328	4656	Ddjejl32.exe	102
PID 4656 wrote to memory of 1328	4656	Ddjejl32.exe	102
PID 1328 wrote to memory of 2128	1328	Dmcibama.exe	103
PID 1328 wrote to memory of 2128	1328	Dmcibama.exe	103
PID 1328 wrote to memory of 2128	1328	Dmcibama.exe	103
PID 2128 wrote to memory of 4052	2128	Dhhnpjmh.exe	104
PID 2128 wrote to memory of 4052	2128	Dhhnpjmh.exe	104
PID 2128 wrote to memory of 4052	2128	Dhhnpjmh.exe	104
PID 4052 wrote to memory of 4992	4052	Daqbip32.exe	105
PID 4052 wrote to memory of 4992	4052	Daqbip32.exe	105
PID 4052 wrote to memory of 4992	4052	Daqbip32.exe	105
PID 4992 wrote to memory of 3096	4992	Deokon32.exe	106

C:\Users\Admin\AppData\Local\Temp\e570fe9b3573adb8b68dac0d9630e1cb.exe
"C:\Users\Admin\AppData\Local\Temp\e570fe9b3573adb8b68dac0d9630e1cb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\Aepefb32.exe
  C:\Windows\system32\Aepefb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\Bfabnjjp.exe
    C:\Windows\system32\Bfabnjjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\SysWOW64\Bebblb32.exe
      C:\Windows\system32\Bebblb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 404
        25⤵
        Program crash
        
        PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4060 -ip 4060
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
120KB

MD5
e04a68cbca9533b8e12a083b5cd0fc60

SHA1
64053f418918be1733bec87ea5b8a947638a8bb1

SHA256
12ad77de3d8d779f04eb8cf25f6c295c050893e59cd533d21698642c2fd519fb

SHA512
9e1222e1b74729dd39d6bd3a55653c06156ddc2c1b6675989baee3b288344c43823060b9e34fc5e113fde29ad452ae0d63da71a24265a9df127382c173e067bc

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
120KB

MD5
e04a68cbca9533b8e12a083b5cd0fc60

SHA1
64053f418918be1733bec87ea5b8a947638a8bb1

SHA256
12ad77de3d8d779f04eb8cf25f6c295c050893e59cd533d21698642c2fd519fb

SHA512
9e1222e1b74729dd39d6bd3a55653c06156ddc2c1b6675989baee3b288344c43823060b9e34fc5e113fde29ad452ae0d63da71a24265a9df127382c173e067bc

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
120KB

MD5
d6f82b0d5f415e7a63fd4b36df3b5316

SHA1
b4fd5362ae60ca3d2bb8ae60bd5400db7614f206

SHA256
ad94562bddc5fd602e5c8eadce193a58fe6dbdac3d64a5034920a60aca58bfb2

SHA512
a5f6c5099b0f2ae21a38851088044722d957b905f4ed0da80c7b6178d4463d75b70706aea8574d2f4ae9c150634fed5d4580ae6dc0800781bf738596e662618f

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
120KB

MD5
d6f82b0d5f415e7a63fd4b36df3b5316

SHA1
b4fd5362ae60ca3d2bb8ae60bd5400db7614f206

SHA256
ad94562bddc5fd602e5c8eadce193a58fe6dbdac3d64a5034920a60aca58bfb2

SHA512
a5f6c5099b0f2ae21a38851088044722d957b905f4ed0da80c7b6178d4463d75b70706aea8574d2f4ae9c150634fed5d4580ae6dc0800781bf738596e662618f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
120KB

MD5
c6265650ad9f6359cc1c9323d9de4c29

SHA1
90f7a524f6cb65bd9e1eedb9e2d48a4ec6f9f390

SHA256
b75e7f5594c9bb7721a5b4f502addfc5baa6264aa36b4e7b2d1f21d0786a2248

SHA512
76a88007f9dc2face8de7fbb646a6519765368599f4e04135baf1bda1e81d7de0821923e7a2ebaf0acd4c4a65e1277f349424c4c99086763e16f6713d1a2937c

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
120KB

MD5
c6265650ad9f6359cc1c9323d9de4c29

SHA1
90f7a524f6cb65bd9e1eedb9e2d48a4ec6f9f390

SHA256
b75e7f5594c9bb7721a5b4f502addfc5baa6264aa36b4e7b2d1f21d0786a2248

SHA512
76a88007f9dc2face8de7fbb646a6519765368599f4e04135baf1bda1e81d7de0821923e7a2ebaf0acd4c4a65e1277f349424c4c99086763e16f6713d1a2937c

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
120KB

MD5
783e25e8c9a1deb2d76f6fe86737d9fa

SHA1
8ea1c145537ab6a1aa674944e58fbaaeeaccd079

SHA256
a0e69f735a990e53591cb41e96f307fa37853c623adefcf3d6234a15637be62c

SHA512
58fc255806aace91bdb40d70b86fcf6784c1d6522701b235c91bf5f7bee3ba39e3042c9a36814845fd8df18a0e3a2474dd46734ac11ffcd41fff28d0d12d9875

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
120KB

MD5
783e25e8c9a1deb2d76f6fe86737d9fa

SHA1
8ea1c145537ab6a1aa674944e58fbaaeeaccd079

SHA256
a0e69f735a990e53591cb41e96f307fa37853c623adefcf3d6234a15637be62c

SHA512
58fc255806aace91bdb40d70b86fcf6784c1d6522701b235c91bf5f7bee3ba39e3042c9a36814845fd8df18a0e3a2474dd46734ac11ffcd41fff28d0d12d9875

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
120KB

MD5
84c5f24ef89e4ef3e766f958ff9d2dd9

SHA1
d43569a37961feeff6e2b313bdd658940a33beda

SHA256
a7febcd9e8b852522be4f45227d3cf2f3b3657b1cc0f9f158b754f0b3d359a5a

SHA512
dc1b3a7e53262dae00c59d38fb3fdfc8d7513801f8f6eea50a144f574f448833b8368d642d926d6f8d6a09755983bfe76d5a59151907f82ac4e5fd33abef957d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
120KB

MD5
84c5f24ef89e4ef3e766f958ff9d2dd9

SHA1
d43569a37961feeff6e2b313bdd658940a33beda

SHA256
a7febcd9e8b852522be4f45227d3cf2f3b3657b1cc0f9f158b754f0b3d359a5a

SHA512
dc1b3a7e53262dae00c59d38fb3fdfc8d7513801f8f6eea50a144f574f448833b8368d642d926d6f8d6a09755983bfe76d5a59151907f82ac4e5fd33abef957d

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
120KB

MD5
9ae00092caace25090030ca4bf977fbb

SHA1
7b41ef833f0ee3d6fc3d1d77d37c0a1e927f0c96

SHA256
bd5f1b2a8e0c2306bb57b2537951842c61f524a00f5c4cac48054bd152ed192a

SHA512
c3434ec0273cf3a592b4d7668cb7b10a5e0045e432b350abd14b96bcb02b4e2e32aa6e5d668796972bd7fb5e8c3572232e05c0db2893df21b31c9225476ace94

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
120KB

MD5
9ae00092caace25090030ca4bf977fbb

SHA1
7b41ef833f0ee3d6fc3d1d77d37c0a1e927f0c96

SHA256
bd5f1b2a8e0c2306bb57b2537951842c61f524a00f5c4cac48054bd152ed192a

SHA512
c3434ec0273cf3a592b4d7668cb7b10a5e0045e432b350abd14b96bcb02b4e2e32aa6e5d668796972bd7fb5e8c3572232e05c0db2893df21b31c9225476ace94

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
120KB

MD5
a32079ef411f400fffd3927f09c16d39

SHA1
5eed26aa70b5fdb04e686c73157c47024ead659b

SHA256
4702cce8d3e0c36c103dc79557339b43f9015690e928e2d8e942107701a2264e

SHA512
2708c63f5797243685720db2fb743b96943e00675cea230d6c49ee4632032dc3e047df470bc709cafcc98d3ff439fe808c875e89a352dfa20f1faf8a606266b5

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
120KB

MD5
a32079ef411f400fffd3927f09c16d39

SHA1
5eed26aa70b5fdb04e686c73157c47024ead659b

SHA256
4702cce8d3e0c36c103dc79557339b43f9015690e928e2d8e942107701a2264e

SHA512
2708c63f5797243685720db2fb743b96943e00675cea230d6c49ee4632032dc3e047df470bc709cafcc98d3ff439fe808c875e89a352dfa20f1faf8a606266b5

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
120KB

MD5
e7fce8378a98048f33c535ba11d1287c

SHA1
d7ddba6ac1836f1bab7763ed4b050ba414567bb6

SHA256
d857155393e653a7a818956d3b0b24fd7d3ae8fe9566a745f959764d7f922a54

SHA512
467e515d342651f2375dc88733df3decd9dfbeb91cc219f94df99c1fd503b84ec4844edf587374c2ab974389ea40e2e4ddd98832597dc6c007926cf242d4cb62

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
120KB

MD5
e7fce8378a98048f33c535ba11d1287c

SHA1
d7ddba6ac1836f1bab7763ed4b050ba414567bb6

SHA256
d857155393e653a7a818956d3b0b24fd7d3ae8fe9566a745f959764d7f922a54

SHA512
467e515d342651f2375dc88733df3decd9dfbeb91cc219f94df99c1fd503b84ec4844edf587374c2ab974389ea40e2e4ddd98832597dc6c007926cf242d4cb62

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
120KB

MD5
e7fce8378a98048f33c535ba11d1287c

SHA1
d7ddba6ac1836f1bab7763ed4b050ba414567bb6

SHA256
d857155393e653a7a818956d3b0b24fd7d3ae8fe9566a745f959764d7f922a54

SHA512
467e515d342651f2375dc88733df3decd9dfbeb91cc219f94df99c1fd503b84ec4844edf587374c2ab974389ea40e2e4ddd98832597dc6c007926cf242d4cb62

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
120KB

MD5
094ac65fb594eda05b42dcde29c1013c

SHA1
f6f8564ba4f2696d1cd07593716525f60ad419a9

SHA256
1c3fd3a14a5186765be5720a6c0d4d79b660db94282c122fb18c6d3c63a53483

SHA512
0942cc67c75e26a396b118ba9bdcc40cc263ae0d3a2160586aa1dac437ce8ac39a8a12aa2a2ce311cda546b461740cbd748b1b11a18124e467eaf90ce0b76883

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
120KB

MD5
094ac65fb594eda05b42dcde29c1013c

SHA1
f6f8564ba4f2696d1cd07593716525f60ad419a9

SHA256
1c3fd3a14a5186765be5720a6c0d4d79b660db94282c122fb18c6d3c63a53483

SHA512
0942cc67c75e26a396b118ba9bdcc40cc263ae0d3a2160586aa1dac437ce8ac39a8a12aa2a2ce311cda546b461740cbd748b1b11a18124e467eaf90ce0b76883

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
120KB

MD5
98087829646817a486501c1b685e40a3

SHA1
91919dd1b04ab17defa1358750627d3633fb1bcb

SHA256
05bd11d006bda6d143e255f2ca525bbd7e2952330c7d674d05168fb25e0fec7f

SHA512
1dda96a851b0e611010cc56af0328a6447da1f61a3b7e2fc10747ffdb71323c0dc47b057b7abfcb32fd2842d497fc66c8841642f0fe8752bd62ec17648c1fe15

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
120KB

MD5
98087829646817a486501c1b685e40a3

SHA1
91919dd1b04ab17defa1358750627d3633fb1bcb

SHA256
05bd11d006bda6d143e255f2ca525bbd7e2952330c7d674d05168fb25e0fec7f

SHA512
1dda96a851b0e611010cc56af0328a6447da1f61a3b7e2fc10747ffdb71323c0dc47b057b7abfcb32fd2842d497fc66c8841642f0fe8752bd62ec17648c1fe15

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
120KB

MD5
9d1b4422521c337dac3dd3bb9a3c6225

SHA1
acc965e81ff22e1e19306650fdabdb27070857a4

SHA256
2364ac820d45846e88fe40d119be9d725c4f3409b9495d8ad8b5c0df47e94dbd

SHA512
d62618433b93ff71442ca1c3b8fb83e840e989ced3aded4bba5a9ce34fb4d49f268cebc4dac814ec836398742ed0505014f3d1ef3a276248bda22f2a7e6a98bb

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
120KB

MD5
9d1b4422521c337dac3dd3bb9a3c6225

SHA1
acc965e81ff22e1e19306650fdabdb27070857a4

SHA256
2364ac820d45846e88fe40d119be9d725c4f3409b9495d8ad8b5c0df47e94dbd

SHA512
d62618433b93ff71442ca1c3b8fb83e840e989ced3aded4bba5a9ce34fb4d49f268cebc4dac814ec836398742ed0505014f3d1ef3a276248bda22f2a7e6a98bb

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
120KB

MD5
a00f2765431c3fc69f5d3053187d7f42

SHA1
b44c98aa9cc1cf43314c324878318e9d38e0bf1b

SHA256
34ff62bc77d25bde9e17b6dd373e608bb8cc64596ed2724c0522e7cbc9af416f

SHA512
c10211bb65c7adecc504c60ea7b84b9f005de581a3d28e549c2ef6d026353aaa3770091e4aae852cffbb532d7e611838ebee6b2c3211f5ec29cef81647af2bf7

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
120KB

MD5
a00f2765431c3fc69f5d3053187d7f42

SHA1
b44c98aa9cc1cf43314c324878318e9d38e0bf1b

SHA256
34ff62bc77d25bde9e17b6dd373e608bb8cc64596ed2724c0522e7cbc9af416f

SHA512
c10211bb65c7adecc504c60ea7b84b9f005de581a3d28e549c2ef6d026353aaa3770091e4aae852cffbb532d7e611838ebee6b2c3211f5ec29cef81647af2bf7

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
120KB

MD5
6ea3217229f2b394f61e4aed4355fce0

SHA1
30cf33c620e331e09cee62ac1f1c995483c10e88

SHA256
caecaa496570d47a4fd8af61f0ec04b51c05571ec835bfff4d4b7af1220e5d23

SHA512
b518d4f081e20f423b0813701660c54862798165543939cf19091d9dd61409da5823da0f87619f094b6bcf8dea9e823678aa4cd9d3de663f9ade363f7e1dcadd

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
120KB

MD5
6ea3217229f2b394f61e4aed4355fce0

SHA1
30cf33c620e331e09cee62ac1f1c995483c10e88

SHA256
caecaa496570d47a4fd8af61f0ec04b51c05571ec835bfff4d4b7af1220e5d23

SHA512
b518d4f081e20f423b0813701660c54862798165543939cf19091d9dd61409da5823da0f87619f094b6bcf8dea9e823678aa4cd9d3de663f9ade363f7e1dcadd

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
120KB

MD5
263eeca56fc35e8585eedd326a426036

SHA1
75283d87a8b28ae9e8bb6aabb1bf4523159a3c65

SHA256
aa5a51c50bd2d8dd0995799e58a86ec086c7a2b36b188c9500cb56f192feb8ea

SHA512
62a71c0d674fdd605e07b404462db3257a026260a1c7796cfb44f85c4962a1eb8cf8a04d90b327f526b7abf1655a44683901972f5fa00c8a1051c066aa6371bb

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
120KB

MD5
263eeca56fc35e8585eedd326a426036

SHA1
75283d87a8b28ae9e8bb6aabb1bf4523159a3c65

SHA256
aa5a51c50bd2d8dd0995799e58a86ec086c7a2b36b188c9500cb56f192feb8ea

SHA512
62a71c0d674fdd605e07b404462db3257a026260a1c7796cfb44f85c4962a1eb8cf8a04d90b327f526b7abf1655a44683901972f5fa00c8a1051c066aa6371bb

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
120KB

MD5
5746212653b64bf9c2a84dfa11f8b06c

SHA1
8ce02fdede79a5ef71a7d099e6cb8ab86bebccf3

SHA256
d75cef2399ee0112e022ba4519f12108646376ffda5ef616cf26fc23145e7117

SHA512
722b9358d4eddd6de3e706fcf75c7c98a44fdd1943e6bb94be257f110f288991f51f8e11c7f3588e27de0c7906dd814cdc1f1a204d6954b218696f82c9e6e1d1

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
120KB

MD5
5746212653b64bf9c2a84dfa11f8b06c

SHA1
8ce02fdede79a5ef71a7d099e6cb8ab86bebccf3

SHA256
d75cef2399ee0112e022ba4519f12108646376ffda5ef616cf26fc23145e7117

SHA512
722b9358d4eddd6de3e706fcf75c7c98a44fdd1943e6bb94be257f110f288991f51f8e11c7f3588e27de0c7906dd814cdc1f1a204d6954b218696f82c9e6e1d1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
120KB

MD5
bef575442ea2f7be442d4435a544430c

SHA1
a920f2bafaebf7bacbdf241d1e92d9df406e17d8

SHA256
0935ac6a14fe0f7c34cdfab23b40f5f47dd3ce60abfe92c3bae64cf14cfb385f

SHA512
5e26f3c520dcdeddd51a78f74005a13f14f41ce3c506c67b99e2cf1100ffc1207c9f33904482ab1d2c33c33b7d7a308da64aa72b38f9b3d54f1100b2c6efc47f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
120KB

MD5
bef575442ea2f7be442d4435a544430c

SHA1
a920f2bafaebf7bacbdf241d1e92d9df406e17d8

SHA256
0935ac6a14fe0f7c34cdfab23b40f5f47dd3ce60abfe92c3bae64cf14cfb385f

SHA512
5e26f3c520dcdeddd51a78f74005a13f14f41ce3c506c67b99e2cf1100ffc1207c9f33904482ab1d2c33c33b7d7a308da64aa72b38f9b3d54f1100b2c6efc47f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
120KB

MD5
87ead94231c984d5f461897a9114fb88

SHA1
e868fa4845ef1e6bf78bbb390c6b9df06df964b2

SHA256
88dc502271d329437043ba208fe9a73ccbe28c9e7370eb1d000e107af56b71d6

SHA512
358cbd59ef0d176ea579dbe9e09dda22bff0e7959b0caf13341d9ada83184d70ce46a9e200c64da160578d4615e9cfcecb5dcb6e7a2cfb96a982bc32b164823c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
120KB

MD5
87ead94231c984d5f461897a9114fb88

SHA1
e868fa4845ef1e6bf78bbb390c6b9df06df964b2

SHA256
88dc502271d329437043ba208fe9a73ccbe28c9e7370eb1d000e107af56b71d6

SHA512
358cbd59ef0d176ea579dbe9e09dda22bff0e7959b0caf13341d9ada83184d70ce46a9e200c64da160578d4615e9cfcecb5dcb6e7a2cfb96a982bc32b164823c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
120KB

MD5
28fd60100bac4a86aa7e82cbd5f1ffc9

SHA1
a3dc405d68a34125d1e5e49fa11b3f35257e8e07

SHA256
fdcd2c4f13dc1c97350c4bce5c8f36b8197871faf65c666766c394e444bbc0bd

SHA512
f30190cbeb3b583eb7b38b5c142fddada525ebc4e04499354928b1056760e1801ba5abe1c0180a7a8c1dc3978a000607c144ed406494619a80f562de3951256e

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
120KB

MD5
28fd60100bac4a86aa7e82cbd5f1ffc9

SHA1
a3dc405d68a34125d1e5e49fa11b3f35257e8e07

SHA256
fdcd2c4f13dc1c97350c4bce5c8f36b8197871faf65c666766c394e444bbc0bd

SHA512
f30190cbeb3b583eb7b38b5c142fddada525ebc4e04499354928b1056760e1801ba5abe1c0180a7a8c1dc3978a000607c144ed406494619a80f562de3951256e

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
120KB

MD5
a7dff9b7bb328189f6eaeff12f74189b

SHA1
c0df49fb89864b25e3d2c1851352d3d3afd3f304

SHA256
5d6533de2383439cf83ba28910e0fc747560fa186afc5f6f9db7ba5fe34dfb4d

SHA512
60c25695d8e2315ce7b100fe7c458355b802b0336d3f2cfd888a8ec94532b4cd8175d9752f5ec68b6e7f39697d62e5042040a88efd20232ac593801bf600b4ba

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
120KB

MD5
a7dff9b7bb328189f6eaeff12f74189b

SHA1
c0df49fb89864b25e3d2c1851352d3d3afd3f304

SHA256
5d6533de2383439cf83ba28910e0fc747560fa186afc5f6f9db7ba5fe34dfb4d

SHA512
60c25695d8e2315ce7b100fe7c458355b802b0336d3f2cfd888a8ec94532b4cd8175d9752f5ec68b6e7f39697d62e5042040a88efd20232ac593801bf600b4ba

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
120KB

MD5
ae58dc5b1b1302616c765e95e727ffcc

SHA1
eedb385a4651e7fbb7c587ea08b0fc09ebe4f780

SHA256
8be29e259ef821aafaab5c474c8e0343375ee795f5d3b4ca342a45f4d452803d

SHA512
622caada510980dee0345f5ff1c622f126f14eedd28bee67fddf33cbd1c06f8ad2e85cccaf41f27d3b1e605a69723eb768940cbc0d9b60189dfa2be2a1ab0bd2

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
120KB

MD5
ae58dc5b1b1302616c765e95e727ffcc

SHA1
eedb385a4651e7fbb7c587ea08b0fc09ebe4f780

SHA256
8be29e259ef821aafaab5c474c8e0343375ee795f5d3b4ca342a45f4d452803d

SHA512
622caada510980dee0345f5ff1c622f126f14eedd28bee67fddf33cbd1c06f8ad2e85cccaf41f27d3b1e605a69723eb768940cbc0d9b60189dfa2be2a1ab0bd2

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
120KB

MD5
851c830f941ada1c8281eb6a3ae989fa

SHA1
91a6081d9a92a80867d5594eb6cfd79fd4724c30

SHA256
554b9f54ff70098522a7e42e090b1c3c6f3415924fe7bfdc6e592a19c3fad2ac

SHA512
79eb3e829275d2adca93206ee61254156f5440f9ee26a2fc6bb19e306ce5d490c12d9e1762060a977ab45916d4d49d765eccf7466bbdb56452f11a73a6d56f35

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
120KB

MD5
851c830f941ada1c8281eb6a3ae989fa

SHA1
91a6081d9a92a80867d5594eb6cfd79fd4724c30

SHA256
554b9f54ff70098522a7e42e090b1c3c6f3415924fe7bfdc6e592a19c3fad2ac

SHA512
79eb3e829275d2adca93206ee61254156f5440f9ee26a2fc6bb19e306ce5d490c12d9e1762060a977ab45916d4d49d765eccf7466bbdb56452f11a73a6d56f35

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
120KB

MD5
d429526fc8b7c4ce8dbd9386dd4e450f

SHA1
e3b9b632e83d7d6cd76496aa3d89aa4581c6887f

SHA256
a2da40136cb1f86ba6862f81b5c6e1d7789d39ccff93c3c31b27bfbdf7980818

SHA512
7c11f125c141f8f8328149bb81e17219b0849e45c40fcc6e3b468cce32d634980cd4008681877a48636ff043cf121becc98efb1db03a74bc9608f8e3c7dcef2f

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
120KB

MD5
d429526fc8b7c4ce8dbd9386dd4e450f

SHA1
e3b9b632e83d7d6cd76496aa3d89aa4581c6887f

SHA256
a2da40136cb1f86ba6862f81b5c6e1d7789d39ccff93c3c31b27bfbdf7980818

SHA512
7c11f125c141f8f8328149bb81e17219b0849e45c40fcc6e3b468cce32d634980cd4008681877a48636ff043cf121becc98efb1db03a74bc9608f8e3c7dcef2f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
120KB

MD5
c61b3011a9a6e5a08a91026b886569a3

SHA1
dffc62be6437426b051d55a04fcbe3b1bd76d99d

SHA256
7632fc25e2274fe5445a357deb10dec88dda6a9bcd3af43f2d9c6db3ae3a6d2e

SHA512
37f406f5083f800df2668a19b68b5e8f00c6285bb2042da7610409fad70d90e6711217781a34415fc0bf3074c29a0b0f7adb3d6a4a4697dff386436d4f813a6a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
120KB

MD5
c61b3011a9a6e5a08a91026b886569a3

SHA1
dffc62be6437426b051d55a04fcbe3b1bd76d99d

SHA256
7632fc25e2274fe5445a357deb10dec88dda6a9bcd3af43f2d9c6db3ae3a6d2e

SHA512
37f406f5083f800df2668a19b68b5e8f00c6285bb2042da7610409fad70d90e6711217781a34415fc0bf3074c29a0b0f7adb3d6a4a4697dff386436d4f813a6a

Download Submit
memory/860-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads