deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 06:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
Size

96KB
MD5

273b08c305aae0a09b95b19bd6dca0a8
SHA1

aa5f3e4a94be5531f3de0fc94b4186472dd9029a
SHA256

deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4
SHA512

78f6d50ebbeb8463efc98659e58b2239c4c61a3e7fe78f6085b49a0063ba0ed465b701c349f7b4f62b39abf0152906476645640cc12d4ef3cdabf4f47baf9a98
SSDEEP

1536:X6vxGZSMhyqhvByZzlL2LVsBMu/HCmiDcg3MZRP3cEW3AE:CNMh1ZywVa6miEo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe

Executes dropped EXE 40 IoCs

pid	Process
1236	Bchomn32.exe
2760	Bffkij32.exe
3464	Bnmcjg32.exe
3924	Beglgani.exe
4744	Bcjlcn32.exe
3868	Bfhhoi32.exe
4380	Banllbdn.exe
3432	Bclhhnca.exe
4912	Bjfaeh32.exe
2780	Bmemac32.exe
4300	Belebq32.exe
4428	Cfmajipb.exe
960	Cmgjgcgo.exe
4476	Cdabcm32.exe
436	Cnffqf32.exe
964	Ceqnmpfo.exe
1160	Cfbkeh32.exe
3048	Ceckcp32.exe
4600	Chagok32.exe
760	Cnkplejl.exe
1460	Ceehho32.exe
4312	Chcddk32.exe
4120	Cnnlaehj.exe
1796	Calhnpgn.exe
3460	Dhfajjoj.exe
3360	Dopigd32.exe
4376	Ddmaok32.exe
1672	Dfknkg32.exe
4400	Dmefhako.exe
4824	Delnin32.exe
4856	Dfnjafap.exe
2280	Dmgbnq32.exe
1848	Deokon32.exe
4956	Dhmgki32.exe
4276	Dkkcge32.exe
4876	Daekdooc.exe
1232	Dddhpjof.exe
4660	Dhocqigp.exe
804	Dknpmdfc.exe
3888	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	3888	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1236	1592	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe	82
PID 1592 wrote to memory of 1236	1592	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe	82
PID 1592 wrote to memory of 1236	1592	deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe	82
PID 1236 wrote to memory of 2760	1236	Bchomn32.exe	83
PID 1236 wrote to memory of 2760	1236	Bchomn32.exe	83
PID 1236 wrote to memory of 2760	1236	Bchomn32.exe	83
PID 2760 wrote to memory of 3464	2760	Bffkij32.exe	84
PID 2760 wrote to memory of 3464	2760	Bffkij32.exe	84
PID 2760 wrote to memory of 3464	2760	Bffkij32.exe	84
PID 3464 wrote to memory of 3924	3464	Bnmcjg32.exe	85
PID 3464 wrote to memory of 3924	3464	Bnmcjg32.exe	85
PID 3464 wrote to memory of 3924	3464	Bnmcjg32.exe	85
PID 3924 wrote to memory of 4744	3924	Beglgani.exe	86
PID 3924 wrote to memory of 4744	3924	Beglgani.exe	86
PID 3924 wrote to memory of 4744	3924	Beglgani.exe	86
PID 4744 wrote to memory of 3868	4744	Bcjlcn32.exe	87
PID 4744 wrote to memory of 3868	4744	Bcjlcn32.exe	87
PID 4744 wrote to memory of 3868	4744	Bcjlcn32.exe	87
PID 3868 wrote to memory of 4380	3868	Bfhhoi32.exe	88
PID 3868 wrote to memory of 4380	3868	Bfhhoi32.exe	88
PID 3868 wrote to memory of 4380	3868	Bfhhoi32.exe	88
PID 4380 wrote to memory of 3432	4380	Banllbdn.exe	89
PID 4380 wrote to memory of 3432	4380	Banllbdn.exe	89
PID 4380 wrote to memory of 3432	4380	Banllbdn.exe	89
PID 3432 wrote to memory of 4912	3432	Bclhhnca.exe	90
PID 3432 wrote to memory of 4912	3432	Bclhhnca.exe	90
PID 3432 wrote to memory of 4912	3432	Bclhhnca.exe	90
PID 4912 wrote to memory of 2780	4912	Bjfaeh32.exe	91
PID 4912 wrote to memory of 2780	4912	Bjfaeh32.exe	91
PID 4912 wrote to memory of 2780	4912	Bjfaeh32.exe	91
PID 2780 wrote to memory of 4300	2780	Bmemac32.exe	93
PID 2780 wrote to memory of 4300	2780	Bmemac32.exe	93
PID 2780 wrote to memory of 4300	2780	Bmemac32.exe	93
PID 4300 wrote to memory of 4428	4300	Belebq32.exe	94
PID 4300 wrote to memory of 4428	4300	Belebq32.exe	94
PID 4300 wrote to memory of 4428	4300	Belebq32.exe	94
PID 4428 wrote to memory of 960	4428	Cfmajipb.exe	95
PID 4428 wrote to memory of 960	4428	Cfmajipb.exe	95
PID 4428 wrote to memory of 960	4428	Cfmajipb.exe	95
PID 960 wrote to memory of 4476	960	Cmgjgcgo.exe	96
PID 960 wrote to memory of 4476	960	Cmgjgcgo.exe	96
PID 960 wrote to memory of 4476	960	Cmgjgcgo.exe	96
PID 4476 wrote to memory of 436	4476	Cdabcm32.exe	98
PID 4476 wrote to memory of 436	4476	Cdabcm32.exe	98
PID 4476 wrote to memory of 436	4476	Cdabcm32.exe	98
PID 436 wrote to memory of 964	436	Cnffqf32.exe	99
PID 436 wrote to memory of 964	436	Cnffqf32.exe	99
PID 436 wrote to memory of 964	436	Cnffqf32.exe	99
PID 964 wrote to memory of 1160	964	Ceqnmpfo.exe	100
PID 964 wrote to memory of 1160	964	Ceqnmpfo.exe	100
PID 964 wrote to memory of 1160	964	Ceqnmpfo.exe	100
PID 1160 wrote to memory of 3048	1160	Cfbkeh32.exe	101
PID 1160 wrote to memory of 3048	1160	Cfbkeh32.exe	101
PID 1160 wrote to memory of 3048	1160	Cfbkeh32.exe	101
PID 3048 wrote to memory of 4600	3048	Ceckcp32.exe	103
PID 3048 wrote to memory of 4600	3048	Ceckcp32.exe	103
PID 3048 wrote to memory of 4600	3048	Ceckcp32.exe	103
PID 4600 wrote to memory of 760	4600	Chagok32.exe	104
PID 4600 wrote to memory of 760	4600	Chagok32.exe	104
PID 4600 wrote to memory of 760	4600	Chagok32.exe	104
PID 760 wrote to memory of 1460	760	Cnkplejl.exe	105
PID 760 wrote to memory of 1460	760	Cnkplejl.exe	105
PID 760 wrote to memory of 1460	760	Cnkplejl.exe	105
PID 1460 wrote to memory of 4312	1460	Ceehho32.exe	106

C:\Users\Admin\AppData\Local\Temp\deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe
"C:\Users\Admin\AppData\Local\Temp\deb5c1bf68becb247bb36180355bc8ffbeec1bf1cffe61d926765fe136a8b6d4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\Bchomn32.exe
  C:\Windows\system32\Bchomn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\Bffkij32.exe
    C:\Windows\system32\Bffkij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Bnmcjg32.exe
      C:\Windows\system32\Bnmcjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 404
        42⤵
        Program crash
        
        PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3888 -ip 3888
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
2999e3f88bea5d31d30b3567bc3f4013

SHA1
896e2330da6fc3f790b9b9ce0afd54912cae1fe3

SHA256
664d9cdeb1620aa7231701f2ceccddb70544d004168e3cfaab1faf3a8640954d

SHA512
ccefdb41f91e3deac7842381461e76ab7827f1baf26efc47231995b9c0af0f8531e2ad70a822217f184e9fcbee7fb2289f9ef2990fd8c84f2a8a42dc91e73131

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
fa6ebf399222d22b0ecf45b10800692e

SHA1
a6a81682a756dd128caf4e7d54b5cdfc42b7898f

SHA256
8bad5a37a2a19f0699dff481ae7b4b3eb1cadd0e3689d0ed43a0174125e0366c

SHA512
15e1d5bf1126f92925ea25a23fa93c243d0706acb3f184aa1d4a6b7c05d369e9dfad32ccfc154134decd46b03e158c3df3cf30986e1af75aa7e569f90ed8a665

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
aa8473386a4c3337af4d2ad89a02c04e

SHA1
fe0665bb6f4ee54e1c11b1de84d27a17179b5644

SHA256
97418c87d9ddadef7860e98c3aa2f1bf3e34ae919cfb17210da75fb24ebdbb7c

SHA512
eb88d127c4f080954173c879eb9c72c31fb02efcfaedfb5358b4f6c76e83b1ac195784bfb403a74826dc45d5fac8cbbd91323d0b90f5a003fb221aa0e0a99094

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
563287dbc4697426de764ac89f68d98a

SHA1
eda747314328c512a85c77e9ed0af64fc391c50a

SHA256
f5983757fbd75f2cae4e4e52012e7e7f92ad158c9fb3e215e7636b81ac09ae92

SHA512
45b25be9b4ba6a25a65f69de7c6871895564b3e4c2c8521cb0617bdd840fa4a604d333363f735556f3c98e8cb5dbe739ec68bca7b3fc39aaf6aceee36c7a3a0d

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
534c577debfc1deddb62ddffa195ad56

SHA1
9f1a4af81f969dcc96b66af325051b9fc55bf26c

SHA256
ec6e33c8be0059854bd2d595216afad97a172027b2376282cd44406348c7ca01

SHA512
81fb19b900a9f23b217b556412f11fdfc40f6e8c6844cc58eec3e7403531fb7346e159f64ddbf0097f40d9f50829db3b4a84c3f07c38abfc8561b7cca35a5bc3

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
825470e202e47fd090f5228eeb933121

SHA1
d879ae63499fb0f056a5930d31d81595f2e85a45

SHA256
c8d94bda4797a06096e5bdac955569f89ee8bbebbccd3b16191add019b2fe38e

SHA512
11e47618639d6a1b813b9ab9a1f20bc79d95e6071733144dd88bd56c66b2cc648b8ca87c3b4799c608464f445d8cda6e2a2bb032824d6f5d8fa866253adf8ccd

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
fe3683a493884d7adadb670c115fc512

SHA1
da8e6fb2387692fe6f10c74860934b6d0c8529b1

SHA256
146fdd45cddc54e3b13b9bc972f2a0e4e073d85b469dda8c3167e8c660e58a54

SHA512
f2b284550ae4e1508d1b66963230bae2f0fc69a7e945de3110e15da2555342bdabffd3d443a204373077e91bbcbfb992578bb96cae49af16dbf2dc82f5fbbcc5

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
5f70b2202f5c32268b945b4c026d3cba

SHA1
080efa2faa09294f315c28a73e6e54b63b0fab9e

SHA256
e4dcf4d38568d466303d721f32050d4330fd34284a8eee2526cf73d72a4c699b

SHA512
6aa418b8c1e081729eba3ff218a1e30b911dc983d9b75e566f7a75184c7bfdeed759f3d10804acb39075e4f49ba8a267819b39de11d1f55a12b59201d2c2c32a

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
42bb9d56ea7509020013978e23336eba

SHA1
63d722fffac60cfafcdf736f30b78e5ab21c7d85

SHA256
e78a9616e948eede364053109ba36ff337c9502e74d267098e4130c928d20f90

SHA512
086828e0afb528870dd21ca843e80a75451f0a5e2dd4def5cf5fa48c06b13176596879e14c7d75021a591ded99ac5f4f094d3ad0583df21dd8435dcf1e1fc169

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
17258e95941c09fb6a6bddcae4957b1d

SHA1
65cd70c1b6d6096f001063a38e646a9f6433e365

SHA256
937a51a2fcc75bda4ca2dbf54b08321b09e158b6f721ce2699acdfadde8f20a0

SHA512
3302b9f8b51ec4b8f7e6dc9999fe4778cdc3728c15da419b6bd2c038d14a5b333d4a4a15462b5249ca19419faf355377de93216de6db7f287b499496d1db757a

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
f1ce6243aac162648e2fc88815094e1e

SHA1
1a82b98cd9330162dab1e3e37020db5b2b3aeebe

SHA256
0ab84ba57fb4ae47cc8a98a1b4b54c26038be2742b605247a95f2c4dea8311ff

SHA512
c0cd74397c7967e8d83a9de1e4f5cb88985c57b5a4c2f6d07d1e3f0b28a6283dbc4f7b18fe181758e108acc71c2f1ee172edb9da9604eaba06eaf0e578474b79

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
2c482c04a90c55923c0c48d49dc649ca

SHA1
084f86d631cb8fc895c58b8f7905c02e8237219c

SHA256
2116ddd9a1ccf2bbd9d1ab9476b488bc6793443927ff29563ba1abccf965cfd8

SHA512
2f7083fa2d9a033a0ae043c13102309563301b33b006d9262b712d790d1cceacf3ea042265da6cc2188a99c04ad1bca37d8d70b099cb7b75bcb491398659b8cf

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
e79ae0772422122811649a6282411d89

SHA1
aaaf2aa388575901cfa33b0b8fef3898dcdd31a6

SHA256
247a13231be9516de4cb1d4b91ec398d0a8af0841e0f22f2972c7bcb3d32fabf

SHA512
32bf517da9f1ba2d71fc32b05dbf635c078b9957919646f20cce635dfb80929c88a6c18e31d684de9cb9555239adb3efc0a2a081d0dc1b85ec4d38133a3d2d27

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
185218ea2236cb4161b45dfd3a1e02a6

SHA1
32f7ee6389cdcca10cc36e919afd6f6e05453192

SHA256
f6885b4f563dbcca86e48418788745bab698b6ffe1a335e390b5b6edefc0e222

SHA512
0c89ed987cc272605a3cf661a8ee0b2cb15e187769dfcadce2f1d834e8170d5b355dfb74a726e3e806711583078bc0a079708b4eda18826b2781780442f141f1

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
669a205b0ee2baa74a322ae3599eb0f7

SHA1
c8f77e4314729d13102f1d12bcb5934ad303fc41

SHA256
2494a68958f4ca722cdd1143bb64648ffcaac73bba175b2fb20474ca78079040

SHA512
55224814f7c9a3a84f630270e7b2d052246772c08b3ba8e4a531cd46d79bd9fbfcef68ef4160e0e327b202dbfd8a10b62414fc3044fcff99ed58e63394ff66fd

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
161c1823e941527fa05b5824031a0f7c

SHA1
d579e803f43580f0135a7b35cdea6dbaf5fcdf84

SHA256
4dc10ba80d40b429ddad939a35f458813cf60d6f19abb001737c36ff4fac15d0

SHA512
e93f8f7d5c57087be345a93aba759cee1d602a3fe4f418193f487af9db03f25eeeff4b67f23077040722ea40d7530a787d73f1a24d8aca9bfae19023a5fec78b

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
6174cf052dd1489cc66f2ec1645e715d

SHA1
448d8c4fe0937daf98630f725aae20fc180a1b89

SHA256
c677d918e61109188587cdfb12e3c66c750bcdb36904d4c614930d3442171f98

SHA512
2f199d6cf8685d34b9f06de6d96469edbd43853d3bde3b66566c3cf37fb7e205a6b94db5833de48967b16224c08fb5c6ec037a5775c611f84185cf0bc86298e6

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
0ba7caab6832bdca2f53891268c6f383

SHA1
7e5a1a511ed2438a39c8248057e94875156a1e20

SHA256
6522452f5327485f8a5d14ac1d2d72b157aa6d1947894047935b638d5812ad87

SHA512
86b214170bc0760f64caa7511bbb1a86b2e80a1eb3d977d50d35bac5b15fef0fb7bf3fe59766636998bf081f70d1cc547e887fe0fd024cddf34a63a8c2c99222

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
80efa869f0ce813011b368f217342f92

SHA1
916a827815b993329f3a8226150c20f6ccd7c7d2

SHA256
4b8f43e37c7ddcb4751464736af79753a85259c708a2c24a6fdd2a039567c52a

SHA512
dd0d8327185db024ce00027058fd428352f1f9a30fdbc948a2e6a86ed845a90d33934cb86fc659faee13ed3a0553cfa820fdaaca02e028fd5e6d6d548a0fb723

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
ee9d1d72eafa8ab767a7cace4084aeef

SHA1
080ee0dbe6aedba54836c49fe6e06d1de6ed2309

SHA256
7c97451bbeb27a1b29d65209f086f2463daaaebdc6ca514d68e4c6a0490ef9a5

SHA512
ec50c00c5ce2b8b99696d993ef93eecb260ed6bd940633af55e6ff1f98f337ac00760a0511bc1e9dd4391ca7935ecad6867b303a0781db23440fc698acf7fde4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
a5f2685be20c3eb77e47fdd7f592458b

SHA1
5cde20828902b909c0fd4599a54868608175c8cc

SHA256
6c8cc1ebeb65479297f8fb0d4da813b784f43091554ff4c28d65f133b02cf433

SHA512
8ebdab767e000f857ee9000cd69feee1de0f8abcf8a70b4a6c8743b1af4f6f4dbb74b49e9fd4b30b2f63080c64cd09340392605effffbefcda27c1cc0d5f854c

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
ec72ab01decb2f65e187c9fe39d66323

SHA1
023c2d5da907a7049275cac3d7a90e1b34ece647

SHA256
63823696c483ed65b7b71c91e98e50b80c6d1ab469845f3223a05b9c04c5f466

SHA512
60aeb9bdb093504914096c79592b4fea0926b7513af544c150d14cabe0f8060cc25d837304684a4c8cba955220d33b423322f558c3896bcb8de92d6fb945aa2c

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
387c1ef350912fc62f68a3aa9d27a576

SHA1
2fcf60b6e2eaffdd2ade40da15ff55564c7e787b

SHA256
ec7423522eaa3a31b58fca818c99941c4df5f232ff8d3757b4b6f3dbd8ea10bb

SHA512
3e8e7479bb9e41d1b0d3519cd8e21745b0aa59419c86c7a47e93dbffbbfa8d3a8b04dfb47b8710abc7818e6d9a372f0cbcbec0a62d8c0b607d0cc8d7bd95f65e

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
4150fa1d0bcc29993e850cbd0e3ca4da

SHA1
b006942cfacbf5e354c73837c38329d639587897

SHA256
eb49264246369181651604b40339f89b54ead0f8487fced9def86fc690119914

SHA512
6fce2a361bfae28de5fa934f5b75b556354ce116fcdb343f5685f82c7f4954c735aec20b7f3e277f18bdc162f69004e3d6115f7f464381d83ff935836a5114e3

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
a805a287fe7c0c4699cdd903c710153e

SHA1
fdfe1c062cca0e0bd6019ef23bf5e983661a2fff

SHA256
aa29ae9454dd2ec5b55a93b07eace27f37009dc8844d155217fee408b19d3f30

SHA512
08198239fadc95b705d7d86ef18234a34e65aa2250c02cca90d2ceb92408e31414433d0ca330045b7794683a6e604a005f4be3aa118d5bd5df02dccd65873b41

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
412015ef9f57f7e2834e817d844fd05f

SHA1
1c1a07866dbcd67c4290b45555a468f9e7ce57f8

SHA256
578f446b35debe6b937e95d86a869f292e43a5faf5d6b7a72615d4f7659eb2f5

SHA512
cf426ee91d4c13386a57051cfe11c106ef3d2bd6215a7fde609118a53efa895d218a35a9ea4b538e04196c26df30f4b7e75e277e3e963391ebb0e6d38179dfcc

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
9be5479377e15338fc6630572c84c0d2

SHA1
7f109b58b74a446c2776774e236808f1ddef72f0

SHA256
c7acd88285386cf45b2e9917e93c2de6cb4861173fdb9a83bad72197062d0c25

SHA512
3cdfae6e69d7556892ada63cb47d3572f3c52d354775225fa794e10245818ac82a8fb1729211b8f081781e78b7ddd80d2b8f780fe4edbf103eb6d541f72bb691

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
369ca31a7ea11901f4c945e1efdbc300

SHA1
c70bb0cdcca9a84dfc550ba1a81de2c605d5d410

SHA256
76ca4421e07670083c6d0ae8db37ff33c4040bae96a8cd0590ce0b82889e7a25

SHA512
9e3cb59293aaf3506956f5a82104a1c765e2ccf6f81990bf3c6817a201da266717fccb9602665e022c219a445282f36fbb29deca64e95ea440be10d59467dece

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
50a1bf20b74497c418019b4e119ffcef

SHA1
b7b964c7025f86297d12a7b297dabb56e0dd1816

SHA256
4720f023d3ce8e3c6d84ac5fba57ef88bfc7fa8f8afe018988164d26974dba73

SHA512
a47b9324c25c9f15252d29b488684046ab03009de7fb589d0f2dcbb49a815e085e4f8ba2a5fc18ca0d55db21ac911e3f6b7cd39347502e46e224662aecf644d0

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
f280c7575713cd493f96e1bb07229e67

SHA1
1fd9fa752aaa74737932ebe880c8b3208aec1501

SHA256
f79190705749ce7c84e1cdbf3c95312d462a18594a5e6b5569fe677958e1bfc4

SHA512
dac03f098887f7e4ea656f4aae06b39f67d0d40dce84090a82fc6d1eeec4602bb755e9965ab6f74504fbe186e7394c21f6a3aa13b68bc64fa6777e3df4ca8ca5

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
2807da9bfc88b83b45e67e5561cce07e

SHA1
3134ac716bf4428d8485081aa9f1346ba5a9166a

SHA256
abc35942b51cd195e8dac1879afa5a1384f49fc1a1753f08291b6646ae5db8d4

SHA512
dd8fb5d4298d0ba274ce94a2325902d93bdb65d19995af49087d7d79f8cb13b869895a7d1fab335b538c5bb699093df520e0c2e9e853df56a9b8347ddac302ac

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
a2fb80fddefc84586395f02655032607

SHA1
29fd8336ca902092f813f9c7b529d388325a7eed

SHA256
b829bf07cd83e0897911b302c019ff1359e895ef42ea56a9b46e8415e34c9502

SHA512
0502fcc028e9614c29efcba12c170e6e637d4cc57323952d0d8b94542d99f3d57140a4c5eea9a594b85c12473c1edf74f15906d5a103aaf0369759330da22fd0

Download Submit
memory/436-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1592-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads