89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Size

320KB
MD5

ae61a42b6db365ebca4302e127516766
SHA1

2ba0cdcdb51f4a13d563b050049b8c4dd2289217
SHA256

89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec
SHA512

ef6e8b4bde804d636b2da422aec669d52934614c10968549ede3ff834666983d0e86003968a57383fccb386ec2406d7f71a78cde7a3bbcd55e19593b1faeb7ba
SSDEEP

3072:eyURiE5TgNy8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqN:CAE5MnZgZ0Wd/OWdPS2L8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe

Executes dropped EXE 29 IoCs

pid	Process
1032	Bmkjkd32.exe
4304	Bebblb32.exe
2468	Bfdodjhm.exe
4640	Beeoaapl.exe
4196	Bffkij32.exe
1252	Bnmcjg32.exe
864	Bgehcmmm.exe
1936	Bmbplc32.exe
1576	Beihma32.exe
3164	Bhhdil32.exe
4724	Bjfaeh32.exe
5092	Cjinkg32.exe
4788	Cenahpha.exe
4676	Chmndlge.exe
3956	Caebma32.exe
4764	Chokikeb.exe
4560	Cjmgfgdf.exe
4652	Cfdhkhjj.exe
3104	Ceehho32.exe
3144	Cnnlaehj.exe
4248	Dhfajjoj.exe
2952	Danecp32.exe
556	Ddmaok32.exe
3600	Dmefhako.exe
3004	Delnin32.exe
4948	Dodbbdbb.exe
1012	Dkkcge32.exe
2616	Dddhpjof.exe
2228	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	2228	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1032	2824	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe	83
PID 2824 wrote to memory of 1032	2824	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe	83
PID 2824 wrote to memory of 1032	2824	89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe	83
PID 1032 wrote to memory of 4304	1032	Bmkjkd32.exe	84
PID 1032 wrote to memory of 4304	1032	Bmkjkd32.exe	84
PID 1032 wrote to memory of 4304	1032	Bmkjkd32.exe	84
PID 4304 wrote to memory of 2468	4304	Bebblb32.exe	86
PID 4304 wrote to memory of 2468	4304	Bebblb32.exe	86
PID 4304 wrote to memory of 2468	4304	Bebblb32.exe	86
PID 2468 wrote to memory of 4640	2468	Bfdodjhm.exe	87
PID 2468 wrote to memory of 4640	2468	Bfdodjhm.exe	87
PID 2468 wrote to memory of 4640	2468	Bfdodjhm.exe	87
PID 4640 wrote to memory of 4196	4640	Beeoaapl.exe	88
PID 4640 wrote to memory of 4196	4640	Beeoaapl.exe	88
PID 4640 wrote to memory of 4196	4640	Beeoaapl.exe	88
PID 4196 wrote to memory of 1252	4196	Bffkij32.exe	90
PID 4196 wrote to memory of 1252	4196	Bffkij32.exe	90
PID 4196 wrote to memory of 1252	4196	Bffkij32.exe	90
PID 1252 wrote to memory of 864	1252	Bnmcjg32.exe	91
PID 1252 wrote to memory of 864	1252	Bnmcjg32.exe	91
PID 1252 wrote to memory of 864	1252	Bnmcjg32.exe	91
PID 864 wrote to memory of 1936	864	Bgehcmmm.exe	92
PID 864 wrote to memory of 1936	864	Bgehcmmm.exe	92
PID 864 wrote to memory of 1936	864	Bgehcmmm.exe	92
PID 1936 wrote to memory of 1576	1936	Bmbplc32.exe	94
PID 1936 wrote to memory of 1576	1936	Bmbplc32.exe	94
PID 1936 wrote to memory of 1576	1936	Bmbplc32.exe	94
PID 1576 wrote to memory of 3164	1576	Beihma32.exe	95
PID 1576 wrote to memory of 3164	1576	Beihma32.exe	95
PID 1576 wrote to memory of 3164	1576	Beihma32.exe	95
PID 3164 wrote to memory of 4724	3164	Bhhdil32.exe	96
PID 3164 wrote to memory of 4724	3164	Bhhdil32.exe	96
PID 3164 wrote to memory of 4724	3164	Bhhdil32.exe	96
PID 4724 wrote to memory of 5092	4724	Bjfaeh32.exe	97
PID 4724 wrote to memory of 5092	4724	Bjfaeh32.exe	97
PID 4724 wrote to memory of 5092	4724	Bjfaeh32.exe	97
PID 5092 wrote to memory of 4788	5092	Cjinkg32.exe	98
PID 5092 wrote to memory of 4788	5092	Cjinkg32.exe	98
PID 5092 wrote to memory of 4788	5092	Cjinkg32.exe	98
PID 4788 wrote to memory of 4676	4788	Cenahpha.exe	99
PID 4788 wrote to memory of 4676	4788	Cenahpha.exe	99
PID 4788 wrote to memory of 4676	4788	Cenahpha.exe	99
PID 4676 wrote to memory of 3956	4676	Chmndlge.exe	100
PID 4676 wrote to memory of 3956	4676	Chmndlge.exe	100
PID 4676 wrote to memory of 3956	4676	Chmndlge.exe	100
PID 3956 wrote to memory of 4764	3956	Caebma32.exe	101
PID 3956 wrote to memory of 4764	3956	Caebma32.exe	101
PID 3956 wrote to memory of 4764	3956	Caebma32.exe	101
PID 4764 wrote to memory of 4560	4764	Chokikeb.exe	102
PID 4764 wrote to memory of 4560	4764	Chokikeb.exe	102
PID 4764 wrote to memory of 4560	4764	Chokikeb.exe	102
PID 4560 wrote to memory of 4652	4560	Cjmgfgdf.exe	103
PID 4560 wrote to memory of 4652	4560	Cjmgfgdf.exe	103
PID 4560 wrote to memory of 4652	4560	Cjmgfgdf.exe	103
PID 4652 wrote to memory of 3104	4652	Cfdhkhjj.exe	104
PID 4652 wrote to memory of 3104	4652	Cfdhkhjj.exe	104
PID 4652 wrote to memory of 3104	4652	Cfdhkhjj.exe	104
PID 3104 wrote to memory of 3144	3104	Ceehho32.exe	105
PID 3104 wrote to memory of 3144	3104	Ceehho32.exe	105
PID 3104 wrote to memory of 3144	3104	Ceehho32.exe	105
PID 3144 wrote to memory of 4248	3144	Cnnlaehj.exe	106
PID 3144 wrote to memory of 4248	3144	Cnnlaehj.exe	106
PID 3144 wrote to memory of 4248	3144	Cnnlaehj.exe	106
PID 4248 wrote to memory of 2952	4248	Dhfajjoj.exe	107

C:\Users\Admin\AppData\Local\Temp\89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe
"C:\Users\Admin\AppData\Local\Temp\89dfa120ed99e3ef66b96037c7174535b24b66d1ac15a9dd91ab65e0c9f89fec.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Bmkjkd32.exe
  C:\Windows\system32\Bmkjkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\Bebblb32.exe
    C:\Windows\system32\Bebblb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\Bfdodjhm.exe
      C:\Windows\system32\Bfdodjhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 220
        31⤵
        Program crash
        
        PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2228 -ip 2228
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bebblb32.exe

Filesize
320KB

MD5
80ddd9be40adc1e57c8c5e7de9f25f32

SHA1
4819415a06647622f32732a3b42eb0804c0b9d61

SHA256
c99b114f8b9ad110411b360ca804770cff8cad3c1528c77b90c621d8fb55037d

SHA512
b7ff1a7f206db19de9fdfb27bf5febcbd535074a3e9cc9fa4536113cc54e786a7375b63fb327afc59c2b82edd304c81f3835acaad95fe2f0feae3c58b9d7483b

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
320KB

MD5
f6adaee218c8f8d89b49e1f6b549b1fd

SHA1
dc425e3e83ca7428f7352950b321728f10833efb

SHA256
f3313f00d9b4ea9b1a6496d45cd69a6f4fd9f3e334de35282c60d2317be3251f

SHA512
dababfc536b180dd1cd44588f85a667a47f88c935aaab01c79c4c8575064fd1b9851fc6ba8273a7fe1f3f051ef20ec8e3b3bafadbf5da2859bcbc4af2d1ce2c5

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
320KB

MD5
35f933612d045cc1a75e1a4b7cec8e52

SHA1
12d12765cfa86bd1904ffede992f1dd1d5e5e862

SHA256
f29b9e58c346ce89d54b403769684787d0840c35e307d14e01bab4a32ec285f4

SHA512
7a96945e363ea19c1d6eb129411c818951c4d57e61c2a8ad5def8ddf6baadef9bedc826022cc0c3663b43c406fce72779fe8754beef53f7230cf74700c5fcdea

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
320KB

MD5
f0b52b15901383c5b6c0b9b5388e6990

SHA1
f6a4654fbd9d089619076a30a55a21cdb9d0c65b

SHA256
b932c8cb2f85cf3f05c68551eed652c99603c4fd366f50fd0fa820e404990d71

SHA512
4e691969eefeda880b36f79d53be66636bc2fef3a8453cea826b5b96fc4c601890a365e4dac559ecb4bada67188382e536c743d4e91730da39afd879489bf31d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
320KB

MD5
33d118bb74360d31b3575ebd2d92237b

SHA1
2ee91de3f79fd80f1c7064c415ebae4c33d25057

SHA256
01596158107abad573b8ccbcc1d11f5368211668856c407dc9cd1d91bd0f9298

SHA512
38ca3476fe8eb4ac758c4075089b4f58656275f02540d34034334ef63baed1eb638151562d67806ec83159035ff2240dc4d4093319eb0454a9c04200a914d9a3

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
320KB

MD5
9ee835521ae8f2ffe467deeb01e8add4

SHA1
9afd4750eb519e7ac9d58115cbdb9817bd5c6e40

SHA256
f066a86d21702e84600565df5bc3e1ef44cb2bc37389b4a8d524e831b8cf2e21

SHA512
27997b8aa1e12bb395f9f911f68618e9e8cc7f2928260e06bf4bf431e89ba118935012d49a1966ca2c62ba714f4b82abac7abdf6d5fa801c409dab34843f189d

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
320KB

MD5
d4cb718774e5cfc486d357068065046f

SHA1
096d418f2b047c8ebab00adc6d82523374846a6d

SHA256
88af9b7aa5a56d43d20645fe13907efab9b6ebcd7567f9727123d31096462edd

SHA512
96cbcb959c2176657bf0e9d909c5adb8d599f39cc7d8988c9851a53ce094d2bed02a882e950ba91b0056dbf6ca16154a5c7b2143c5417a2407b7cabb297f8171

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
320KB

MD5
bbca93eb22c56f3effd33722f5184d42

SHA1
d85fa55dcd985e8b9eac72727d9a2d7dacd6a1f0

SHA256
252a110c532e5dbcf6b8923c2ac3e856ba578b716e25797d8966758843adaffb

SHA512
d141003aa27aaba25cf1b3bb56dc93826dee4bd73b457c2dbf6b69ba59a2c74b0a05958ffdc30582473cb037f581d36cc43b29b77c36c1d6a76e7ec563af9272

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
320KB

MD5
7ac6e536b57bf3e629881042e8187630

SHA1
4a83e1ddb583b2918240781acc5d5d4bbd02e96b

SHA256
945a76d9c3baffb1f40c10fb40f088903593966317c46b1754e442f473b7eb91

SHA512
f12f8d311b531e6df6dd4c0f857b5367bd18ae6a1b76d31b14a5f7be2ea3bd0446b31b4b1a5ca700d4bdc9a9e1c16d41cdb88a1a465f875cc5fd363dc1886ba9

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
320KB

MD5
8881ca6485946eb1259343ec60cdef7d

SHA1
a1b37a058fadd66d445ddf110f57118e9ffedee1

SHA256
0abd2ab2f19285cf0df5a82da700078b8668bbd07bab5c6623bb303bfa8dc3b5

SHA512
dc1c5fb053ce2a5e0f830c174874c79c7277a18a5eb5929843794442199d83fddc572e18e5b69869095aacca2336cc9f663699abe4f7d73d3a4d5d8a000536ae

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
320KB

MD5
1cedf9cdd85f5e1bc3d7c900730e4da2

SHA1
dafeb63aae4e8cda02f68a471727820421dd6ca5

SHA256
52e776549c776ea1272306194e6a81e882a6141fb771bef87b9c8e102800f14a

SHA512
700d5cd076b1d4606d9cb5f809e0d9b1a83d6ceec6d229faa3a71142550b43ba6c4104a7b285d691a9ad1700fa2ad540377191efd6582c3a817775b8da72e928

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
320KB

MD5
524896832558145be23b9dad58e6b6a4

SHA1
9ba21737d27f60a7d33cde212b5893e7296be286

SHA256
6da6ad123978abe6f33dc4f7b86f795d10232e98537a0c90e4dc64b59dc64672

SHA512
670131a067526af6d58c53df91fe2f3cadf31db1639e3d38828c8418d193618a4c6738cf7f007d86a61af176472ad65d830e0eaad3c535763027f8d3c5e2dd52

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
320KB

MD5
24ffdeb346af3104cc26edfd6bed7edd

SHA1
25a1bbab5d894f4af762a09c53e1d82a370b8ff4

SHA256
40ca2155ee15c7b4e31ed659d4f155b7c9b265d719c09ef65d773926a057e594

SHA512
98bb838366c8e851d5fcdceccdc2f984f64aedec571693061a75bb6da317eb2168e7ff32321bf67542722626906633edb708b48f1724362a37b6312da7868152

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
320KB

MD5
f2f5b95b46f9b828a0786be970115f8d

SHA1
d359d195b6c7223e401896c9a96075e561feac36

SHA256
8dd670197a50931bdd0a474243df21a98334eedc9b356f9d2536d794b7aaaf1e

SHA512
ee4bf9b6fe422361e30696895d93b5c4169bdc02539c2df722bb6191d4a50ba2b8c004ef87e17063a31ee36640415d958524e8307b1c841c37bd49754b2553a9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
320KB

MD5
c5ce9494ea73f77d8b5bd2670e0ccb20

SHA1
8dd6fc27f2a3cf2bda6762ffc366483b94d73946

SHA256
b204668bf7541ea4f5f1d83604c5c18cf97be421673cd04cc779d4b9503eddf8

SHA512
59b39c601fe5b84749f1c67144b9384d96df2cd27ab0bf60693b96a8d892d36697c9b76bae4774b43db8f4421f2ee1ee291d66ed4a4ea7e8eaba0a261623ba6e

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
320KB

MD5
40860068a5bea838dba01d5bc7415541

SHA1
e5203ff618998e9854a8f42b34d4856384703c20

SHA256
b7729949cc156c2e946b7169798e89c43e6975cfb524452a0ed70c64d65ea2a7

SHA512
eed26bdab1ddd00a76ce2415f74b3f04934f10bca81848673b4d280259c9f92978f08e8817547a7975012f5f018db4f333231ac3bc1fa1f48baf1405c3cbd9c3

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
320KB

MD5
64c18efc4c88c35120ad645b0707b26f

SHA1
0eda0240cfbf165b4192c1b03eb3689faf02ca08

SHA256
64c63f18df3ce4009e449063caceb2495f1f1aea093aa128ac3db71383325915

SHA512
560efc5ffbc043edcf21b0b02046fee1dcd9730e6efff6de94af4344adb5a17c1e50aa25154cf2631acf629d24c9e6c0df448b2b1c4a42d48a72e0c7e5e2ad4e

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
320KB

MD5
ed8e7cc4c7c25c59c3f165c275751cb9

SHA1
555e0b092c87d13889219bd409735dfca29dd489

SHA256
e7415301b3708a1b9bda604e7b9ec8d4ff8f2d86b9b8395092696033aa56bf35

SHA512
10d793482a359182aa7c26ecaf50fd8bc67b292089306210e6a2104eec4cb4bb4a34c4caeb718aaf46edfd79ed399c8584266ff1f68a942c38ad4f3bae0c9127

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
320KB

MD5
88d70e7fddd0e5e99859c9709f1937b5

SHA1
09683731da1464e3f4d86f34fddbb9aebcaf4bc7

SHA256
803246993888c1374452ab353f1ffa16a66ec0b27fbed9e84fffdc7da0d33504

SHA512
ab39400e24fdec42ed3ac7cd430d75f403f269d9dc3e28ce00d29dd42e916e1ca90adcba4c0e24b374441951eba9a08be7ffd4aa5bbf4b6d756f5c0998255b55

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
320KB

MD5
772485e77a014bb22ce064b640d27b38

SHA1
b5c45723e97fc7ede757538d1367d866e9b2f3e1

SHA256
cd9966707431d7261909e0225cee86fcea96bfbb0b842afbbb549cee35809ed9

SHA512
8f3de1d732671171f52fa9ad0c74fe256e3073d7dc3711c6da2f821b1d68812f69c3484472b522ffa1a963571e6d4a92d4042fc489d7f3960bc18134cf19508b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
320KB

MD5
f25d1753a0a53986e6ef030e6479e8c1

SHA1
a9e2140fd601576dcfc68771acace764affe694c

SHA256
2aa3092f4e7eacc21fde655293e57cbf8bf547b5c84b2a3945f5057e32d44a39

SHA512
c1693e18426be19201915c6981566ce949528d89c41adaf09140007cc83454a2b36e93912d52fe9f24291c6a71aff454da9eb5cb03fb91cffffff20a794f652e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
320KB

MD5
833b72b1654ee522c562f5e61f0d9523

SHA1
aafe54935311c8322902b3a83044688f36c83b41

SHA256
820943c3c77438f8c135abf419e943ec60a11d2c0481a154d71b9aea6b7ca1be

SHA512
9c7db7b08dbe69392e3f212dd1a0cfefe33e3c8bc42eabd96a2b37d224723cab763d9564f86958a908804ead75d8dd9c97106ec3e0fdd0676411f715e3d1ceea

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
320KB

MD5
bded0b3227c6370c3e05904ad931ca9d

SHA1
b44beb71d4b65191143440e6b9d72a8afe9023b6

SHA256
05bb801462051f86f704246b334b9d9bb11f4ad60fb1d9177bd5cfe2f9db5971

SHA512
a1f2d11407f05dde82d629f7d8407947d6ec17c6640bada70869ac0657d58ac3df988cedcf03da61666603de0d6bf2a20de86ff12ecfdf6913a56a67bc616212

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
320KB

MD5
436c6548bf9d8073a8ef59823ccff5ab

SHA1
f1e1f7b05c7e06600620f9f6c96d1f9513b976a3

SHA256
4ddcce5925d638a26520728a25611463a01d18af1831dd79424f4ea8a9eed507

SHA512
e19277bee5cf09fb618473610edda2c22ba0481f5e4f93bd2b82bbca40ba20efe417c011154f40b5c3fe90242e07b47b4f5693a5ba341f93e84fb82b158fac2f

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
320KB

MD5
6a54d079fde48797817c81fc2c4a8296

SHA1
975605384b8e5f1501897ed44d19777135f866c6

SHA256
eaedb9c20cb24701305d102d01a4a890be41fa781466dc47f26885580ab0ea60

SHA512
b2c2b22a1e7b752ebad9b7382088b067a4d7d24a8f25f6bd7a7bab693e4f81af403455586f408bfb2441b9dfca390ca6bce6d062032ea342a30dc7a1873324f3

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
320KB

MD5
a09a7f3fdab56e5466e522c6eabd6eaf

SHA1
85bc2fe7a360686150cd813d42d3a901e4d4bc0d

SHA256
47fbae431056d275e3e55f93ba12a37756d9c04ff7d8040a1cc190b2bb410492

SHA512
8d4969ccf008d873b001c044ec8e50b598d0a890b16a835aa3bc25a4c2b9390fc2d1eb9c582c9dfe65ca31ea5c2a780b4556b5971e367d5885592472b42729ec

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
320KB

MD5
c371ac8025c4ecff0aa3b47b7805fe4d

SHA1
2190d99433ac4d2c398c5b2886ae54ff4f5aca5a

SHA256
4d419b1938fda877c58c806d7bc9e59b034b2b2fa9cec356a40a703926cff05d

SHA512
6fd84416179d79288c3497846c938c89d74db4b45ab8245201d7294b383feee098fc08ae0806ee38616694cdeb490159c25166e9e1be7c01e8aeb8add4ab8a2d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
e6c8dd2d3421d904d8f253d482aae887

SHA1
10a7286dfcfaa03278b0c246b2c4d117dd0a0eef

SHA256
d0b22497dc41da927f2cb448b9f849e186d306a0c1b265bd70e7a564516dc14f

SHA512
c74f087dd6fc9e5dc29840b38a8ba97466d816b072f0975e1bcc20a8c5a1814462e0b935d194407188b6247dedf6e1eebbc5d6bafdad1529bb798dad2490754b

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
968c0acee16c4e8f8098cb6d5b5ec43d

SHA1
478e578d4f41b40e94f23705080bdefb0332cd04

SHA256
557d88d8d9c194ee0e9736b60b96aaeb130229f9d9c382d1b5c6669112180efb

SHA512
c32c92e668f91fe982764f1b45f883b708e74cd6d6561ec67680921dae41aa28b5b0736d43198d7baa082a147f3dd3bce7203b9d5027d8f1d03995b4ca63ee09

Download Submit
memory/556-246-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/556-184-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/864-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/864-289-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1012-215-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1012-239-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1032-281-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1032-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1252-287-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1252-48-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1576-77-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1576-290-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-288-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-64-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2228-235-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2228-232-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2468-23-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2468-285-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2616-236-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2616-224-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2824-280-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2824-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2952-175-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2952-248-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3004-241-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3004-200-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3104-279-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3104-152-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3144-160-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3144-271-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3164-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3164-278-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3600-191-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3600-245-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3956-120-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3956-272-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4196-282-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4196-40-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4248-283-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4248-167-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4304-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4304-284-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4560-136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4560-274-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4640-286-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4640-31-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4652-277-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4652-143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4676-276-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4676-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4724-88-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4724-292-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4764-132-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4764-273-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4788-103-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4788-275-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4948-243-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4948-208-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5092-291-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5092-96-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads