26710e70f46698b24cd59af90987dd889e164629ab565ba21d5f114c0b605c23

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33401b2e9fab4422e8a1b5153c3490cb.exe
Size

55KB
MD5

33401b2e9fab4422e8a1b5153c3490cb
SHA1

c535130f59524a159a24c3db9ed4dc19cf77e982
SHA256

26710e70f46698b24cd59af90987dd889e164629ab565ba21d5f114c0b605c23
SHA512

d738b1a32334d72c7d0816f6705c7da9a045bf713d66f14e437f962ba81c0472b0bfedd0dc5282f92fe65fc817ae4f5cec8b4663d5e54d41f9a38cd1b8b65730
SSDEEP

768:fuRcePaNl3q5Eqhzn6UXQ23ESODVXlutFqOQVIpCTiH5drC70qtsbc4EcE2p/1Hk:fNePaNl3q5V96m1UlDVXGFlrG+E2L6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	33401b2e9fab4422e8a1b5153c3490cb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	33401b2e9fab4422e8a1b5153c3490cb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bppoqeja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chpmpg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbjbaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppoqeja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppkph32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doehqead.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgpef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmehnan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppkph32.exe

Executes dropped EXE 19 IoCs

pid	Process
2356	Bbjbaa32.exe
2740	Bppoqeja.exe
2768	Blgpef32.exe
2820	Cklmgb32.exe
2512	Chpmpg32.exe
3020	Cnmehnan.exe
1548	Cdgneh32.exe
2692	Cjdfmo32.exe
2920	Cpnojioo.exe
1900	Cghggc32.exe
1664	Cppkph32.exe
296	Doehqead.exe
572	Dccagcgk.exe
1048	Dbhnhp32.exe
2400	Dfffnn32.exe
2256	Enakbp32.exe
3000	Ehgppi32.exe
432	Fjaonpnn.exe
1056	Fkckeh32.exe

Loads dropped DLL 42 IoCs

pid	Process
2596	33401b2e9fab4422e8a1b5153c3490cb.exe
2596	33401b2e9fab4422e8a1b5153c3490cb.exe
2356	Bbjbaa32.exe
2356	Bbjbaa32.exe
2740	Bppoqeja.exe
2740	Bppoqeja.exe
2768	Blgpef32.exe
2768	Blgpef32.exe
2820	Cklmgb32.exe
2820	Cklmgb32.exe
2512	Chpmpg32.exe
2512	Chpmpg32.exe
3020	Cnmehnan.exe
3020	Cnmehnan.exe
1548	Cdgneh32.exe
1548	Cdgneh32.exe
2692	Cjdfmo32.exe
2692	Cjdfmo32.exe
2920	Cpnojioo.exe
2920	Cpnojioo.exe
1900	Cghggc32.exe
1900	Cghggc32.exe
1664	Cppkph32.exe
1664	Cppkph32.exe
296	Doehqead.exe
296	Doehqead.exe
572	Dccagcgk.exe
572	Dccagcgk.exe
1048	Dbhnhp32.exe
1048	Dbhnhp32.exe
2400	Dfffnn32.exe
2400	Dfffnn32.exe
2256	Enakbp32.exe
2256	Enakbp32.exe
3000	Ehgppi32.exe
3000	Ehgppi32.exe
432	Fjaonpnn.exe
432	Fjaonpnn.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fjaonpnn.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Hoogfn32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Chpmpg32.exe	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Cppkph32.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhnhp32.exe	Dccagcgk.exe
File opened for modification	C:\Windows\SysWOW64\Dccagcgk.exe	Doehqead.exe
File created	C:\Windows\SysWOW64\Cnmehnan.exe	Chpmpg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdgneh32.exe	Cnmehnan.exe
File opened for modification	C:\Windows\SysWOW64\Doehqead.exe	Cppkph32.exe
File created	C:\Windows\SysWOW64\Jjhhpp32.dll	Cklmgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cppkph32.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dbhnhp32.exe
File opened for modification	C:\Windows\SysWOW64\Enakbp32.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Bppoqeja.exe	Bbjbaa32.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	Cnmehnan.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfmo32.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Mghohc32.dll	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Dccagcgk.exe	Doehqead.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Blgpef32.exe	Bppoqeja.exe
File created	C:\Windows\SysWOW64\Iifjjk32.dll	Doehqead.exe
File created	C:\Windows\SysWOW64\Fjaonpnn.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Cklmgb32.exe	Blgpef32.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	Cnmehnan.exe
File created	C:\Windows\SysWOW64\Focnmm32.dll	Dbhnhp32.exe
File opened for modification	C:\Windows\SysWOW64\Bppoqeja.exe	Bbjbaa32.exe
File created	C:\Windows\SysWOW64\Eddpkh32.dll	Bbjbaa32.exe
File created	C:\Windows\SysWOW64\Chpmpg32.exe	Cklmgb32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fjaonpnn.exe
File opened for modification	C:\Windows\SysWOW64\Blgpef32.exe	Bppoqeja.exe
File created	C:\Windows\SysWOW64\Elgkkpon.dll	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Dbhnhp32.exe	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Bpooed32.dll	Bppoqeja.exe
File created	C:\Windows\SysWOW64\Mhkdik32.dll	Cghggc32.exe
File created	C:\Windows\SysWOW64\Edekcace.dll	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Enakbp32.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Cjdfmo32.exe	Cdgneh32.exe
File opened for modification	C:\Windows\SysWOW64\Cpnojioo.exe	Cjdfmo32.exe
File created	C:\Windows\SysWOW64\Plnoej32.dll	Cppkph32.exe
File created	C:\Windows\SysWOW64\Olkbjhpi.dll	Blgpef32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmehnan.exe	Chpmpg32.exe
File created	C:\Windows\SysWOW64\Opiehf32.dll	Chpmpg32.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Cpnojioo.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Cpnojioo.exe
File opened for modification	C:\Windows\SysWOW64\Bbjbaa32.exe	33401b2e9fab4422e8a1b5153c3490cb.exe
File created	C:\Windows\SysWOW64\Pmbdhi32.dll	33401b2e9fab4422e8a1b5153c3490cb.exe
File opened for modification	C:\Windows\SysWOW64\Cklmgb32.exe	Blgpef32.exe
File created	C:\Windows\SysWOW64\Lednakhd.dll	Dfffnn32.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dbhnhp32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Bbjbaa32.exe	33401b2e9fab4422e8a1b5153c3490cb.exe
File created	C:\Windows\SysWOW64\Doehqead.exe	Cppkph32.exe
File created	C:\Windows\SysWOW64\Cpnojioo.exe	Cjdfmo32.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cpnojioo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
796	1056	WerFault.exe	46

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll"	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	33401b2e9fab4422e8a1b5153c3490cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll"	Bppoqeja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll"	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cghggc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppkph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll"	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdhi32.dll"	33401b2e9fab4422e8a1b5153c3490cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll"	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll"	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	33401b2e9fab4422e8a1b5153c3490cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	33401b2e9fab4422e8a1b5153c3490cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjdfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cppkph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bppoqeja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbjbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll"	Chpmpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll"	Dbhnhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjaonpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	33401b2e9fab4422e8a1b5153c3490cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chpmpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhnhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmehnan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	33401b2e9fab4422e8a1b5153c3490cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll"	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bppoqeja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjdfmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll"	Blgpef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2356	2596	33401b2e9fab4422e8a1b5153c3490cb.exe	28
PID 2596 wrote to memory of 2356	2596	33401b2e9fab4422e8a1b5153c3490cb.exe	28
PID 2596 wrote to memory of 2356	2596	33401b2e9fab4422e8a1b5153c3490cb.exe	28
PID 2596 wrote to memory of 2356	2596	33401b2e9fab4422e8a1b5153c3490cb.exe	28
PID 2356 wrote to memory of 2740	2356	Bbjbaa32.exe	29
PID 2356 wrote to memory of 2740	2356	Bbjbaa32.exe	29
PID 2356 wrote to memory of 2740	2356	Bbjbaa32.exe	29
PID 2356 wrote to memory of 2740	2356	Bbjbaa32.exe	29
PID 2740 wrote to memory of 2768	2740	Bppoqeja.exe	30
PID 2740 wrote to memory of 2768	2740	Bppoqeja.exe	30
PID 2740 wrote to memory of 2768	2740	Bppoqeja.exe	30
PID 2740 wrote to memory of 2768	2740	Bppoqeja.exe	30
PID 2768 wrote to memory of 2820	2768	Blgpef32.exe	31
PID 2768 wrote to memory of 2820	2768	Blgpef32.exe	31
PID 2768 wrote to memory of 2820	2768	Blgpef32.exe	31
PID 2768 wrote to memory of 2820	2768	Blgpef32.exe	31
PID 2820 wrote to memory of 2512	2820	Cklmgb32.exe	32
PID 2820 wrote to memory of 2512	2820	Cklmgb32.exe	32
PID 2820 wrote to memory of 2512	2820	Cklmgb32.exe	32
PID 2820 wrote to memory of 2512	2820	Cklmgb32.exe	32
PID 2512 wrote to memory of 3020	2512	Chpmpg32.exe	33
PID 2512 wrote to memory of 3020	2512	Chpmpg32.exe	33
PID 2512 wrote to memory of 3020	2512	Chpmpg32.exe	33
PID 2512 wrote to memory of 3020	2512	Chpmpg32.exe	33
PID 3020 wrote to memory of 1548	3020	Cnmehnan.exe	43
PID 3020 wrote to memory of 1548	3020	Cnmehnan.exe	43
PID 3020 wrote to memory of 1548	3020	Cnmehnan.exe	43
PID 3020 wrote to memory of 1548	3020	Cnmehnan.exe	43
PID 1548 wrote to memory of 2692	1548	Cdgneh32.exe	34
PID 1548 wrote to memory of 2692	1548	Cdgneh32.exe	34
PID 1548 wrote to memory of 2692	1548	Cdgneh32.exe	34
PID 1548 wrote to memory of 2692	1548	Cdgneh32.exe	34
PID 2692 wrote to memory of 2920	2692	Cjdfmo32.exe	42
PID 2692 wrote to memory of 2920	2692	Cjdfmo32.exe	42
PID 2692 wrote to memory of 2920	2692	Cjdfmo32.exe	42
PID 2692 wrote to memory of 2920	2692	Cjdfmo32.exe	42
PID 2920 wrote to memory of 1900	2920	Cpnojioo.exe	35
PID 2920 wrote to memory of 1900	2920	Cpnojioo.exe	35
PID 2920 wrote to memory of 1900	2920	Cpnojioo.exe	35
PID 2920 wrote to memory of 1900	2920	Cpnojioo.exe	35
PID 1900 wrote to memory of 1664	1900	Cghggc32.exe	36
PID 1900 wrote to memory of 1664	1900	Cghggc32.exe	36
PID 1900 wrote to memory of 1664	1900	Cghggc32.exe	36
PID 1900 wrote to memory of 1664	1900	Cghggc32.exe	36
PID 1664 wrote to memory of 296	1664	Cppkph32.exe	37
PID 1664 wrote to memory of 296	1664	Cppkph32.exe	37
PID 1664 wrote to memory of 296	1664	Cppkph32.exe	37
PID 1664 wrote to memory of 296	1664	Cppkph32.exe	37
PID 296 wrote to memory of 572	296	Doehqead.exe	38
PID 296 wrote to memory of 572	296	Doehqead.exe	38
PID 296 wrote to memory of 572	296	Doehqead.exe	38
PID 296 wrote to memory of 572	296	Doehqead.exe	38
PID 572 wrote to memory of 1048	572	Dccagcgk.exe	41
PID 572 wrote to memory of 1048	572	Dccagcgk.exe	41
PID 572 wrote to memory of 1048	572	Dccagcgk.exe	41
PID 572 wrote to memory of 1048	572	Dccagcgk.exe	41
PID 1048 wrote to memory of 2400	1048	Dbhnhp32.exe	40
PID 1048 wrote to memory of 2400	1048	Dbhnhp32.exe	40
PID 1048 wrote to memory of 2400	1048	Dbhnhp32.exe	40
PID 1048 wrote to memory of 2400	1048	Dbhnhp32.exe	40
PID 2400 wrote to memory of 2256	2400	Dfffnn32.exe	39
PID 2400 wrote to memory of 2256	2400	Dfffnn32.exe	39
PID 2400 wrote to memory of 2256	2400	Dfffnn32.exe	39
PID 2400 wrote to memory of 2256	2400	Dfffnn32.exe	39

C:\Users\Admin\AppData\Local\Temp\33401b2e9fab4422e8a1b5153c3490cb.exe
"C:\Users\Admin\AppData\Local\Temp\33401b2e9fab4422e8a1b5153c3490cb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\Bbjbaa32.exe
  C:\Windows\system32\Bbjbaa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\Bppoqeja.exe
    C:\Windows\system32\Bppoqeja.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Blgpef32.exe
      C:\Windows\system32\Blgpef32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\Cklmgb32.exe
        
        C:\Windows\system32\Cklmgb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Chpmpg32.exe
        
        C:\Windows\system32\Chpmpg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Cnmehnan.exe
        
        C:\Windows\system32\Cnmehnan.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548

C:\Windows\SysWOW64\Cjdfmo32.exe
C:\Windows\system32\Cjdfmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\Cpnojioo.exe
  C:\Windows\system32\Cpnojioo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2920

C:\Windows\SysWOW64\Cghggc32.exe
C:\Windows\system32\Cghggc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Cppkph32.exe
  C:\Windows\system32\Cppkph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\Doehqead.exe
    C:\Windows\system32\Doehqead.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Windows\SysWOW64\Dccagcgk.exe
      C:\Windows\system32\Dccagcgk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\SysWOW64\Dbhnhp32.exe
        
        C:\Windows\system32\Dbhnhp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048

C:\Windows\SysWOW64\Enakbp32.exe
C:\Windows\system32\Enakbp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2256
- C:\Windows\SysWOW64\Ehgppi32.exe
  C:\Windows\system32\Ehgppi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:3000
- - C:\Windows\SysWOW64\Fjaonpnn.exe
    C:\Windows\system32\Fjaonpnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:432
  - - C:\Windows\SysWOW64\Fkckeh32.exe
      C:\Windows\system32\Fkckeh32.exe
      4⤵
      Executes dropped EXE
      PID:1056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:796

C:\Windows\SysWOW64\Dfffnn32.exe
C:\Windows\system32\Dfffnn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
55KB

MD5
a698137f7c2b39894c3718f551cbe18a

SHA1
714ad7efdf0e42bcb3855a2a26b7c6cad9b259eb

SHA256
b4af11bfdc201262fe2080efbb317a53f459c41bb2cae3e5c23b4a82db0db8c5

SHA512
3f8de4f8be0f1ab9cb19125586a7fa2b362b11fda79358f943cbbc741d268800809c0ed8468c3e63925ea51b97d88cf10a62aa055d7d81a367d5eff7f66e30b9

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
45KB

MD5
eb802c2dc35bc6005c8e1fded944f6c9

SHA1
f656edfb2414930dd4bac83614e176fc14d4348a

SHA256
9b38e2e0de02cfb68a1c5ebebd4021e7bb0ce128190b5261408f032a6b4190ae

SHA512
a9361ac06c812b93f30550bd351654be13883d670c52b3488789801cd6da04d22f7ad8e167af9b5d1f7fe92f1242fd041fd5efee7b2de649ea6ff740fb9e3e8f

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
55KB

MD5
24de5e456330bf202696f4f75f5e8610

SHA1
9b520d0edda67785996c29187b43359c1eafafd7

SHA256
b73acd7e17c993516659795867a5018f455ffa519367932a68c8cb278972dd3d

SHA512
b182ee0eee2aa1bc4f5551b83ac01f6dc07011429d38ba7af35f4c61664c7b741a57e26453b239545d275c678eb52d2b99e6de8428b19a61e304aaea9e7018bb

Download Submit
C:\Windows\SysWOW64\Cjdfmo32.exe

Filesize
55KB

MD5
21382dd1afcc2ca17dd7c48b86756aa2

SHA1
b887630aaf787bd7f32a450314601c2f08ec601e

SHA256
343a90b2841f53a24e552f582f66bd742976827f68e74bd10f50228c60a38b8d

SHA512
e2ff36b97fa24c1d7b7c09ebcfe9e80ec547fc8e92a1d403b98f3db243f40991bfbc557b0ad2861b4910f9dfd3de23508a47b0b363dc5ba82475ccfbf2075f1d

Download Submit
C:\Windows\SysWOW64\Cpnojioo.exe

Filesize
55KB

MD5
9405fb7b967431b50bbc614baa81708a

SHA1
df3d39e618cd9f57907f533dfdc33e02aeb25bbc

SHA256
94a367326cf432f6d9a2b7364b017e0ec119b3e8cf5caffbc2e9ed83a25d0591

SHA512
ce5d30d58ca96102dfc2f1554b3f268932c5efedf713b89e47b0030ee2f8757aebb2a5ed3264f8736b623fca4675236dfd91203057243904262103f2aa3bb6dd

Download Submit
C:\Windows\SysWOW64\Cppkph32.exe

Filesize
53KB

MD5
f80793dac46679734d9ef6d2fb7acebd

SHA1
a6a2be7487ac35e0ec74459c702253317d134096

SHA256
d8678bcf05b39724dbbc9b9f61c988d25e4ae06d9e4be3d19cb1916b409d2829

SHA512
c910a8aaac484028c56cf1c6a3fef739542dca59d7b4e148d29965f845abaaffcf679e384ca7c08800392e9a54bb7604c71557ebab212d4ecc39e730d0f37628

Download Submit
C:\Windows\SysWOW64\Dccagcgk.exe

Filesize
55KB

MD5
fcb60a282e8411fc5097710351f483af

SHA1
c7536611963b5770263075f9c248eda07779687d

SHA256
bc33f46ef16f3f4c052e7aace1f283162b808a1bd2ca51b86f5bb8ce74ff1df9

SHA512
246cef303a20c5b7054d3063ae38b225cdb8b9e5e751ffdb6c7a82c3de153061dc548f6dfee9d7bf2c39dd4101cf758ee82c8547ac3f31c014d8ce1fbff13722

Download Submit
C:\Windows\SysWOW64\Dccagcgk.exe

Filesize
8KB

MD5
4f51cfe9e36821d1ecdee4ac39816d31

SHA1
4844b41975a5a5f0db1692f35ff4129ee92169c6

SHA256
df0d069ae968c3ca7fc9952081ac92bfeab629c76c4b7654c7f4cd46c96cb872

SHA512
58d7d1b6fc5381122c1e918c8ecb6b1c0a7e2966743116cdd7a156c393fe51c46a9f09593c735cf8fed773b9557d80e49249e792b3981412973d2978c63e87c7

Download Submit
C:\Windows\SysWOW64\Dccagcgk.exe

Filesize
5KB

MD5
c689afb8e60f997ef3c6f949b9327cbc

SHA1
b9010729c9413b533e70581e18a28422113a7ae4

SHA256
0fc76f045cae7c4af8b86ccf241182e3e4e43cd00fc76674d3c951a7acf50144

SHA512
f7cc31cb1087f595f4d95e40af61d919eec8e041be0f5b93c63b9c1fbb513e35608c7c0f904bea88635ba00acd42184fa9a24eb8209b0bb7336fda89bb91e3e5

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
55KB

MD5
2bcc92c22bfa4127a7105f9121ddef45

SHA1
e06fccc17ba95c5858d8384b9483256d17666d9e

SHA256
f4f2fe386201b6f5540c02235f31f0da1ed3472ba478637fbcd48c5fb9b6366a

SHA512
68b713b62edf0b40b8d6ed52de22b23c7e398e953d33a87713fe4aa2330f3ca05d681d2f6e589195b22925d5aac90b7171d0b8c0da4f63b288f0f0e2e48366c4

Download Submit
C:\Windows\SysWOW64\Doehqead.exe

Filesize
25KB

MD5
4e48acf3779a8cb2d0f570147a95a5c1

SHA1
2813dcda8e349b0de3414efa8b5b9379d620a487

SHA256
318cbfd6961c3e4d16368fbd916e11ee2d0431980836d34b5c45c21b8cd18df8

SHA512
8bd119941e1b067370e89a4914c21c13fab7bad7c0aea2f5af8805b2be8280fb480a661f939140d7c55745cfb9f588beabbd54d24b883bf4156265dd54406613

Download Submit
C:\Windows\SysWOW64\Doehqead.exe

Filesize
12KB

MD5
b4c902d1a24da0bc85a8338443ec12d6

SHA1
b0df01b98e68dbc7197cfcb92c339b9adc7414a1

SHA256
44be9407c884fd4ef3651f6df2e3ed8150395a33b8d641dac5abbe432dace9b6

SHA512
3bf3fd0d76d4a93726224cf16a13214870e4e8af6c6159404db5be666e99737c8bf572bbf2f18b744636207478e17e05540b525749659949e337c512edb4da31

Download Submit
C:\Windows\SysWOW64\Doehqead.exe

Filesize
45KB

MD5
156779da23b532c8a38d4d708a46aac7

SHA1
31e79fa5697a2ae4a8d8c2e11defe3802c65c1f3

SHA256
276efc14c8b2991c5e6a535e52c52893169d945436771d8dbc5be9dbb9d3b582

SHA512
78689280b664dcf1bb9c8a32938dfb824d276eca1c6e285c68a38655454ef3624fe7a1df3fe03663989bf8a3d5bc06288b4fced92ac89746d82f5c18d672af4e

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
55KB

MD5
0544dfb3545332433c2facbcbe6d68b7

SHA1
86432f243ddd5e47a6516c2f971d92fc35166c39

SHA256
070f42106a47b5f7cb3fb22d76b53a094178be9603b0835e577a03daf7087d09

SHA512
cf48fc663f02b07ef21b2f526f9ff0f8acd31f14fffb83f84afb2ee2bce99247268a0c0c7c0d1a9cd3bbae1326b9fb782e53b3272f6ef994d53c2ef2b318d6fe

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
55KB

MD5
a9db9384b5183bbd619a168bea19752c

SHA1
bf3006024e373c7aa9598201c57b2df080f117ae

SHA256
72ed2481d02dec504852374ffbf67c0652931889a5c92f4d72eb4c4a3f231552

SHA512
57cb46ae778217585a871ec66164e6a94c2343925835d35a7d297022d6bc32103c9298aa526d6ee57b0d982c571da2219a23a8c81e3860573180927402008b3b

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
55KB

MD5
c5434fc784f9abdb79ff7d78b596f146

SHA1
90b8dd68f18237fcec4bc6f8592a2efec0f3a655

SHA256
0eb00f4a0e7216612b5270be0e3e2215fb3d320b752004763cfe2707388c9dc8

SHA512
8cadfb53d36d715970e9816a2a6c358ee8d24bb7aee10cce4b3fc347ff8ca580b7a54ad4685e30bb45350c1bdc5760e9d8e879d7550214c0497ff403c41c6172

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
55KB

MD5
23475a79d1548ce92da30459788c560a

SHA1
471bba3fa0206eecbb3061928bdfd3eb3cab6388

SHA256
77b7585e2eb8d9b146d34de08e10e66723b6b25f62e9fc60a7c4a6607a5f6368

SHA512
9c4c57f6aab44cf24d3960b2661a24889d0a0d3b16b30c3b1cb78cb1a99d1466fb98f6a8c9018ec46b283474ee0415f01531703fe52c42c799a0129670e1742e

Download Submit
\Windows\SysWOW64\Bbjbaa32.exe

Filesize
55KB

MD5
29fc345e95516cdd9b80b269fefc8a98

SHA1
a461ed1f446e8c22167338544cf325d947765130

SHA256
c82faba50bc92b562ce5c891b3a5c6bdc474e9c73218db9d8ba54fc55abe1b49

SHA512
8e2c623dd487e15c01d124d0df3c95f72d7dc98ec8dce692705b65822610270a2342dd8d098102260da70e1f98c2eebcea395dbfe8f98c239ca94e67ad3f2dfd

Download Submit
\Windows\SysWOW64\Blgpef32.exe

Filesize
55KB

MD5
f8ae604f3e4f53a0b47951ea39bc38c6

SHA1
9252e6ac2165f4aa51eca214379d8c2d993f52b8

SHA256
623e572cba39c495e35deece3e298e4485e75230d137f4ed59b2fe085fa194a7

SHA512
33c9b8bd348b167ac31451e50c36d208fd16509e12ad02701a9a486503564bf312d5e453beaf64f210f10ab5cdfa1c7f00fde0e94f4d88be1086e5ffcecb36ac

Download Submit
\Windows\SysWOW64\Bppoqeja.exe

Filesize
55KB

MD5
48fb4f2f43b12659187d7b09f2a2b9f2

SHA1
8ed2f3f45633146b65252516cf3f6c9f841ca8d9

SHA256
9b87e07c20ba7bf7231d27bd9a0098e317c43654fa2c29190ca099939a70bba5

SHA512
0099326fa614aafbb48aa3b1194ffdb3a9ed1914e5aabbbb2847cb26586622cf1e496b02093ac16f792aedb7c68d47795c19e9267e03080d9056bc0adb45e7bc

Download Submit
\Windows\SysWOW64\Chpmpg32.exe

Filesize
55KB

MD5
e4e41d7b60a2a0c6edceb4f0dc47dc4d

SHA1
4c6205ae88f94af7357a8b4108d8562ffcd2a3d0

SHA256
31d13ed37ec4d2782fb3926d43f4500943ea63526f597ce0e2202484f4a7a158

SHA512
d8ecc6d85404df6f4718ac8ea0b843451f3cc140475eed7d98634a2fa81c726996e7fdd9303ad54f50d640c952914d7deda525b2a964034ed47c823a18e06737

Download Submit
\Windows\SysWOW64\Cklmgb32.exe

Filesize
55KB

MD5
a4ac77a904285284248f43a7384ddd28

SHA1
9e16a8afc573d7c1d81cb7b4026387c465571166

SHA256
3ce8eb37746d9b1cb242ca1709de92c323eacceca26e3eea3a57bbc45f6ee955

SHA512
afea5248666a3948097e2aa9b77700eb1c6c78318655ac26154131c1db5a7eedd6913fe8f4f03caf4c71a6aee65a11c9435bb8f6dc39c946c4342ef3f36e03f0

Download Submit
\Windows\SysWOW64\Cnmehnan.exe

Filesize
55KB

MD5
571b914e6667586d0de7d4fc92bc89ac

SHA1
426b33dbb7249140d2aaac3b67e89ddc8ce05a37

SHA256
04c75f5447efe2f53440198ff92188bf5595e740e2164b88ff2716ad19f00218

SHA512
9d333a040e1eed1065d109c32ef55b77cf7c471da74bec1d20e4da2acf2b7e523475ab0d4dc6465a09bf430b0d56cbdafa4500fa3a73b1433bfde221b8b806a3

Download Submit
\Windows\SysWOW64\Cppkph32.exe

Filesize
55KB

MD5
8c53bff839a3ca18a1d792f67160846b

SHA1
ccf6dea002def4fb8ba3e438399faf32fef70263

SHA256
fd8f703a357b53c02e47426ee49652d46e4e90e690ec3a749cdbd2e165eee19a

SHA512
64bf8849b38d4edd55811d8e52dad39ccc6ab0b8a1c25d55baeca72d29e4e6635243575acb8f9c824257b5f248a02120c1e219e9b08d684b7f11b963f762e1df

Download Submit
\Windows\SysWOW64\Dbhnhp32.exe

Filesize
55KB

MD5
3a3981875913b1642a24eaa103fea2a7

SHA1
5bc39476ee243c85890c8262f204a2d6e2d4d583

SHA256
24dc677314aad73ee4aa4cf40b068471b74e75e07cdaa92a87dbf03d5133cf5d

SHA512
19e7df497f2fcb244a31eebee4ee415719e5504641a157eb90a24bdae8c03bbbc0f7824d130ddaab5412a96dca399bca5e8a23e72ce7e3d15fc54203c1f4ce20

Download Submit
\Windows\SysWOW64\Dccagcgk.exe

Filesize
32KB

MD5
1faa0576be336e63168786cc8bd30a00

SHA1
77763f43142928b8dcbe4372bd91b5e7ca5aec82

SHA256
77562dffc7c21cbe9fcf15c23db82844fee481bb5686f7251fd0ac712f407aaf

SHA512
4d88993acf88d14299b9938a9e3c4f2545c357289b4a2420d49ca2d0d918611c4469008f236af0a81c56ea92093768eb81e9ebb710efd17b6cf36af0f202ada6

Download Submit
\Windows\SysWOW64\Doehqead.exe

Filesize
22KB

MD5
fd8bb8f09ed6965116885d4cf1370db5

SHA1
5c169e01c5fe4b7a5ce47ddd672852772547625e

SHA256
28998ed5aa4ca25a3f866b12816f05821956e6a12729753295a80061e7f0d406

SHA512
c19c26814f2856259c69294f0d9e0da6c496a551143fb52a1cc0886badbd11eb8e92fc71bae2ed31fdd992514b8d47bcf77873e82e11a246e3756f2cd4696fb9

Download Submit
\Windows\SysWOW64\Doehqead.exe

Filesize
55KB

MD5
a59f7a508f9a06be1e863ce200635e7a

SHA1
9cb000e111ed4bc93b67d0a575ca8121ff6163a8

SHA256
7ed96919c4725c6a920214b8c436ba484a58b0de5026878caca1df143dc52ab1

SHA512
1f40385f3ca24feeb0b1bf109c4defd9247526f28ae842a48a04cdc1f171ebd4b210d621ff9e6fa0f87fc0331c0ba79f5ccd16036ea10a1e6794c710448776fb

Download Submit
memory/296-173-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/296-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-188-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/572-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-197-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1048-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-160-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1900-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-145-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1900-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-139-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2256-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-225-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2356-20-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2356-25-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2356-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-79-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2512-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-6-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2596-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-35-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2740-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-48-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2820-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-63-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2920-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-240-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3000-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads