af474d07a986c86c66aa1da668439e36bb538c878783c3b23a66f7d6a71ce529

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8efb09ae2d67c5c697640ed0791a3ae0N.exe
Size

352KB
MD5

8efb09ae2d67c5c697640ed0791a3ae0
SHA1

6c85cb52ca090d2177563c84a55b839e1268198b
SHA256

af474d07a986c86c66aa1da668439e36bb538c878783c3b23a66f7d6a71ce529
SHA512

25506713e0e86bea07d0319e87f12134c92a61475b840ec161275b5c132f8b0b9b65b11cca5a8ae16f0ae9516f12fb49dba9738b1615809f27e6080a30fff1f1
SSDEEP

6144:ZgytYqcgUz5pz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:ZgybcgUzgsUasUqsU6sp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8efb09ae2d67c5c697640ed0791a3ae0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8efb09ae2d67c5c697640ed0791a3ae0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe

Executes dropped EXE 30 IoCs

pid	Process
5116	Ampkof32.exe
4088	Acjclpcf.exe
1696	Ageolo32.exe
3988	Anogiicl.exe
4732	Aqncedbp.exe
2448	Amgapeea.exe
1452	Aglemn32.exe
1580	Aepefb32.exe
436	Bmkjkd32.exe
2972	Bganhm32.exe
1492	Bnkgeg32.exe
2044	Bgcknmop.exe
3732	Bfhhoi32.exe
2916	Beihma32.exe
3240	Bjfaeh32.exe
4696	Bcoenmao.exe
644	Cenahpha.exe
4368	Caebma32.exe
1704	Cagobalc.exe
744	Cmnpgb32.exe
3420	Chcddk32.exe
1968	Calhnpgn.exe
4704	Dopigd32.exe
4132	Dejacond.exe
1444	Dfknkg32.exe
2668	Dfnjafap.exe
816	Dodbbdbb.exe
2408	Dkkcge32.exe
4204	Dddhpjof.exe
2436	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	8efb09ae2d67c5c697640ed0791a3ae0N.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	8efb09ae2d67c5c697640ed0791a3ae0N.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1068	2436	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8efb09ae2d67c5c697640ed0791a3ae0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8efb09ae2d67c5c697640ed0791a3ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8efb09ae2d67c5c697640ed0791a3ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8efb09ae2d67c5c697640ed0791a3ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 5116	1440	8efb09ae2d67c5c697640ed0791a3ae0N.exe	83
PID 1440 wrote to memory of 5116	1440	8efb09ae2d67c5c697640ed0791a3ae0N.exe	83
PID 1440 wrote to memory of 5116	1440	8efb09ae2d67c5c697640ed0791a3ae0N.exe	83
PID 5116 wrote to memory of 4088	5116	Ampkof32.exe	84
PID 5116 wrote to memory of 4088	5116	Ampkof32.exe	84
PID 5116 wrote to memory of 4088	5116	Ampkof32.exe	84
PID 4088 wrote to memory of 1696	4088	Acjclpcf.exe	85
PID 4088 wrote to memory of 1696	4088	Acjclpcf.exe	85
PID 4088 wrote to memory of 1696	4088	Acjclpcf.exe	85
PID 1696 wrote to memory of 3988	1696	Ageolo32.exe	86
PID 1696 wrote to memory of 3988	1696	Ageolo32.exe	86
PID 1696 wrote to memory of 3988	1696	Ageolo32.exe	86
PID 3988 wrote to memory of 4732	3988	Anogiicl.exe	87
PID 3988 wrote to memory of 4732	3988	Anogiicl.exe	87
PID 3988 wrote to memory of 4732	3988	Anogiicl.exe	87
PID 4732 wrote to memory of 2448	4732	Aqncedbp.exe	88
PID 4732 wrote to memory of 2448	4732	Aqncedbp.exe	88
PID 4732 wrote to memory of 2448	4732	Aqncedbp.exe	88
PID 2448 wrote to memory of 1452	2448	Amgapeea.exe	90
PID 2448 wrote to memory of 1452	2448	Amgapeea.exe	90
PID 2448 wrote to memory of 1452	2448	Amgapeea.exe	90
PID 1452 wrote to memory of 1580	1452	Aglemn32.exe	92
PID 1452 wrote to memory of 1580	1452	Aglemn32.exe	92
PID 1452 wrote to memory of 1580	1452	Aglemn32.exe	92
PID 1580 wrote to memory of 436	1580	Aepefb32.exe	93
PID 1580 wrote to memory of 436	1580	Aepefb32.exe	93
PID 1580 wrote to memory of 436	1580	Aepefb32.exe	93
PID 436 wrote to memory of 2972	436	Bmkjkd32.exe	94
PID 436 wrote to memory of 2972	436	Bmkjkd32.exe	94
PID 436 wrote to memory of 2972	436	Bmkjkd32.exe	94
PID 2972 wrote to memory of 1492	2972	Bganhm32.exe	96
PID 2972 wrote to memory of 1492	2972	Bganhm32.exe	96
PID 2972 wrote to memory of 1492	2972	Bganhm32.exe	96
PID 1492 wrote to memory of 2044	1492	Bnkgeg32.exe	97
PID 1492 wrote to memory of 2044	1492	Bnkgeg32.exe	97
PID 1492 wrote to memory of 2044	1492	Bnkgeg32.exe	97
PID 2044 wrote to memory of 3732	2044	Bgcknmop.exe	98
PID 2044 wrote to memory of 3732	2044	Bgcknmop.exe	98
PID 2044 wrote to memory of 3732	2044	Bgcknmop.exe	98
PID 3732 wrote to memory of 2916	3732	Bfhhoi32.exe	99
PID 3732 wrote to memory of 2916	3732	Bfhhoi32.exe	99
PID 3732 wrote to memory of 2916	3732	Bfhhoi32.exe	99
PID 2916 wrote to memory of 3240	2916	Beihma32.exe	100
PID 2916 wrote to memory of 3240	2916	Beihma32.exe	100
PID 2916 wrote to memory of 3240	2916	Beihma32.exe	100
PID 3240 wrote to memory of 4696	3240	Bjfaeh32.exe	101
PID 3240 wrote to memory of 4696	3240	Bjfaeh32.exe	101
PID 3240 wrote to memory of 4696	3240	Bjfaeh32.exe	101
PID 4696 wrote to memory of 644	4696	Bcoenmao.exe	102
PID 4696 wrote to memory of 644	4696	Bcoenmao.exe	102
PID 4696 wrote to memory of 644	4696	Bcoenmao.exe	102
PID 644 wrote to memory of 4368	644	Cenahpha.exe	103
PID 644 wrote to memory of 4368	644	Cenahpha.exe	103
PID 644 wrote to memory of 4368	644	Cenahpha.exe	103
PID 4368 wrote to memory of 1704	4368	Caebma32.exe	104
PID 4368 wrote to memory of 1704	4368	Caebma32.exe	104
PID 4368 wrote to memory of 1704	4368	Caebma32.exe	104
PID 1704 wrote to memory of 744	1704	Cagobalc.exe	105
PID 1704 wrote to memory of 744	1704	Cagobalc.exe	105
PID 1704 wrote to memory of 744	1704	Cagobalc.exe	105
PID 744 wrote to memory of 3420	744	Cmnpgb32.exe	106
PID 744 wrote to memory of 3420	744	Cmnpgb32.exe	106
PID 744 wrote to memory of 3420	744	Cmnpgb32.exe	106
PID 3420 wrote to memory of 1968	3420	Chcddk32.exe	107

C:\Users\Admin\AppData\Local\Temp\8efb09ae2d67c5c697640ed0791a3ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\8efb09ae2d67c5c697640ed0791a3ae0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\Ampkof32.exe
  C:\Windows\system32\Ampkof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\Acjclpcf.exe
    C:\Windows\system32\Acjclpcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\Ageolo32.exe
      C:\Windows\system32\Ageolo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 396
        33⤵
        Program crash
        
        PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2436 -ip 2436
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
352KB

MD5
a0be687303d8ee4488b3569d93362458

SHA1
90eb896b9a22a11bc52c103d6867c19940fefb1f

SHA256
ea26f3483692faec67bd54b413a1378616823d4c967f04a60232cc4e7f554199

SHA512
50bcc38ead1c6b23cebd29e2d3e7ea9922da45a189791ea4c1796124538f2a880c7320351e8711d67ffc26d7816e41d7ecfbc16fe2349822765b67072a779fa3

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
352KB

MD5
0e98d472baad1ca3102628540b3ff11e

SHA1
c6de7ae90c146b89c8bd5b157a857cfb0ba637c6

SHA256
4ecc281313a9d5e09b90d4bbe97e81c3504f6b8d9e27f00d65b4021d89c8099f

SHA512
d50ee427cb816264e3d9ffa7a636305200a99d973c042b30d50d533c7ce5e919d9c209ef92661bc8f2e0fd1eaf9c857368a7cffb70d278f1bc8e60e72a524b06

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
352KB

MD5
dcc0305fcd17da5830a005f9bc015de2

SHA1
86c0e431fca5890f925c137ed96fe9abf7c7a004

SHA256
72a0e3b37f117a5907944a0a3049b2f192430a8cb78e535e950cb622077442b5

SHA512
2923d03c7420aa908199bc0157ecc8a6d8553ed0710ebcfcb27763d8a89f84355961e06b96e096dc3b499f587e16728aed9aa819436af23100262b65d192f32b

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
352KB

MD5
6dcb7085ff32a7160759fc21d7243b67

SHA1
098b639ac5b574997fd9ead0ea0ad0eaf5de8d9c

SHA256
3e6d7b2d5b344c592febecf54317d83de6a96098d20e1b972eb425ec1174b002

SHA512
1ec098b60d292962c0a59dfcda7aa23dd63a5334353c52c1d32724b2b504b2d0fdd06d64aa3978412de8f2d0e4e808e8f9e3e9a9aad261beb34fde821663cb36

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
352KB

MD5
caa65b6ef9a409207262f5feee2749dd

SHA1
2a5b4bfdfd2263bf0efb422047f0f4a8788616ad

SHA256
2991374d88efa3a77f5f9082fb38d59259543d55a5bfb5b833ff4b2953b4864b

SHA512
24088ec4eb2c145320fb6c0cae8503c773a53b2e05c0eaa34073d0aa6d25afe98390201eb6731723f295097768418890399fbe080d5560477860c62435b692bc

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
352KB

MD5
e8280b515513b1af642a2e7a53bf85cf

SHA1
042fdf5a88963f89fd77867eb7bb287f3150a1f6

SHA256
14ad18ebef257e194c9536dc0fc99301c0c654797f4f63a789550d7d5443d227

SHA512
bcfc68c0b64ced326ba4b0c82ac912c800619deba58b9895b1627202019f8dea95c7942267212ace93dd7febc9a10cd27352278f3756eea954a4823642e8e7c9

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
352KB

MD5
d70567a8ea47afaf7f7c23716044e384

SHA1
190f6b9e8040fb541147bb386dd62074ce9c19b0

SHA256
4cda83f8ef397af03a50578b5bc02a8051681015af1868686971e4bdecf21d30

SHA512
df17f4c2421cd1f2b1e7f3473d411fe84c4c0e4dcf6b5d813cf3551725dc16353ad9d9494e1c8a3e77ff2bdccbe3448b286119a51d41edc7d7c01597b527b4e5

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
352KB

MD5
856f1d17890d05d033a3ddc92e3a4cdc

SHA1
65ef0380e6a73a2c6e7cdbc32c95c16414a089ce

SHA256
4b071851008babb176437d4ae925511859fbe7d21fc6bbf4f33aace8918f2120

SHA512
ba087ada1ed3a73bcedac1370acaddf10f22c9f2a33f22c590d2901af0f915ad1542a9a42cb2343c53aacb36a1df7062244349260193ff251811585eb7add0ee

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
352KB

MD5
d2cb12f454cb80125b28554f202ee082

SHA1
aa726df5ab1e26aee51216256bb0e39f86a67e94

SHA256
e32eaea8d033187633352d72a327db0ce4634d36d96f3473f25a27ec7d33ba06

SHA512
4be76c2fed54413277d870d46d1405aa631f3861453b5b1deb8e7e41bc2bad4fdbe681ceb9c9391b9f4baaac5326d409fd03f0a9d29f8d1e9ca8c400e9f2491b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
352KB

MD5
9b861c1afd8535ede7b32c80a5543ce4

SHA1
5751de255f0cf69fafe730f3c0e3a8b1c208e124

SHA256
240a7a4ca2d2af8cb454c6afe098ade260a32cde1bdc72033789e2e70a7d7ed7

SHA512
64345e130288aae2196f3d5f5aea1f999016ef87fa6c226182b1132aad0f81f03abf1a94698041b17ed241b92c95a01fbb263d50abe866895852d1da1b42a8a4

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
352KB

MD5
8784b8cdeb4c392c23cf22b06ccb5102

SHA1
13e97323929b5487a53e73e29a510b5810a600fb

SHA256
b21e26166b8e44baebbfae741c30be2013a739045d610f6badc372ce457f0552

SHA512
80711beaae14d45ee2da19c3f20be86c3780de20dc2098a52cfce3afa831461317b704d76c6ea2f9dad046a38bcf12e11844ef23264422e43b4e6a4534303a89

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
352KB

MD5
d2070be7b981bab647a37078bdd6ef15

SHA1
300cc9fc0184ba4f9e0b5f161bddf1cfb700882d

SHA256
7ce0008f24442733b0fca5c9a208857f65646df89c34ea953554bbf0c2ffeac3

SHA512
11c2d930a0be7d6c16c2c47b963aeebf408a59ebb4ec5a516e5fb8bc61d1a3f5c8b8ae92e2d7820bc02ae71a60c1faf351543089011f2a595bcea3783255acfb

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
352KB

MD5
2cc107ab862126dfceb0a70ffb45ebf5

SHA1
cd09d5454d5a53fa638362689ce7b33ba876fd3f

SHA256
670b5a498dfb735d6243de75453140bbdfa06d5396d520492cf1d87b0a0f075f

SHA512
9f15a518fc09e89c205a2ad2dcec4ee132a3ce33abd49e9f4ab0b57a6d0d49a75da16f4d6b2a40755213785f87a0c3d9e12ee6c7d46d5e7c9204f805ebdba77e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
352KB

MD5
f126d73bdbec05049f76771aa808aa14

SHA1
4d55bdd84a62d7168ee0218c0cd720fa86690295

SHA256
0a49ad10db84b7a676ae1407a2a47c87ed70103063121d7616906557ab7e2f5d

SHA512
87d977f40738373f452c99aca0bc795358e25625bd314e3b134a28eed20c9da2674d5babbc1a951dabd35165be951b7d88ef13080bbdfaed17d5dd8322bb93e6

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
352KB

MD5
1a23a48eecaa90d44079ea8fb1ffb7de

SHA1
eba4d3ec1dfcc42ba6054010e0a0ef69f0b5ac9a

SHA256
0c56b6779c2fdfb6e2592f9c6a29cea5bd63fb06465e7eb5137ddafe65ae1c72

SHA512
2844bebfc70ac4914e3045eb17a38f6efa34dcbc571f71b87d564cf4509d83451ecef91756be1ac6029f9b35da35fae2bda7aa00dde8e81a3d5b121c35032fec

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
352KB

MD5
93c31f412f335c98f5f73957c3df9aef

SHA1
7c9ea07df4dc6b640fc3c688e8e6e06e1156a88a

SHA256
1d24e5acaaa7c708290233c83b7daec92553cc1651bba33c30f35746a9354a42

SHA512
209d61a56aa69af750bc0abaca73f9bdaab201363c66bfc8ccfa388d68de60b23fa48819e5b2a9fcaab1e3b5394fbfc11fe8916cb92d04cb0be17696f2390b3d

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
352KB

MD5
8bee92a9612c94c9f79139157ecc6579

SHA1
9dc0472506feb0b6285c318eed368ed91593126d

SHA256
320fba68043fd025a2bc0862ec294a3dfbf99e0e9cf87abd481c76aa76302625

SHA512
91c06a49d7ff823421a3273fce764fdbdeded59161b3a6453ce4ce598488ba179f6ecd3412014464022d90c605ff40e67ac5c28e67161ddc9f3f3008ba2c80ab

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
352KB

MD5
31db945bbb85400d5012db0c33091b34

SHA1
1f479268cd117e02d1167faf602696985daf4023

SHA256
34acc893c496d3585f1688cdce5f0b3cc630e0d0845d964a91423f0a3a2b79c7

SHA512
3314cb4987e0b7cfcc8eafd790faccc0fa281eaaa60f988380ecc4e967257a2551e78915c75dd7791cac2699203a0677aa84a3811c9e3040cb97ee7d62423d8f

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
352KB

MD5
4c34b810489d73ededcc991a015079ab

SHA1
9519a4be75276d43e1c76abaa6f7afbe15fc510e

SHA256
d6409eed82a62398be7b22cd9e5f8baaec3e26a687f4639c64b02061abcec968

SHA512
f82ac55fed67c8cdf83e7d710a8243f8e2d2da3b9299eed9738d9417f1a3a7eff6f8cf28f1651e41c2484fe6b5ec22d3feadd9451fca9d553ecdaf5702ec1d85

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
352KB

MD5
f4e74f231b02808ca2ec87ab616ad39b

SHA1
c038c851621e31c67672ddfbfe95687458d32d78

SHA256
378dec4214dbaa0646c247652936177222f8a49c83e65101f9e5c4a9a9d90685

SHA512
b8facb9651a5ef2ac1a191195bc5fcb1b5578cd7ae551dbfd0d167ff586fa8b686225fb650c860b3275b9ae2c1d4d7c7783bc332d0b7883759f16ac45718a10b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
352KB

MD5
9bef810364391961d966b01115cf1397

SHA1
4e5e590d3b8f17a25f04e1ddaf540fd42fe08359

SHA256
4a288de0f86c4795b198b993d7e9a697583ab46b6462791ce39e055a3bb5752a

SHA512
1872d03bbe0d2b9cca6d6cbde01148bd185926ce23236af0e5f1fb6d10c26bab13269d70f9ed41a654093442e90e80f7214908df12a6e82ac1dc99d85ed0409f

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
352KB

MD5
d73391ceda9a655f74ece43784c259a4

SHA1
e457b5af3fc34f891019f86efff434b055d8389c

SHA256
ad1320ab493998b1182eed0bcffcf4f735db122cbf550cbe6023cc5f33aeb150

SHA512
d8474ee807c4d246021dd3111d13bef1bf6257ca97138be9b7de8db86d8d225dd190f52da4aac899cfd36f61e2d58faa77224c39eedf04dc170dacbd5844bcc4

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
352KB

MD5
716a951f01a949df04c5777a82679f5d

SHA1
fdcf8295eebb897696d2d6a3c8d36fa88db17db6

SHA256
b9f95a546d9eedf2b2bd823651e9ae91accb92e3efd3c1b37f92fbbee459db64

SHA512
75def3099c92765399ce33b20280e610f16a56b60343ff34095165cc2d2818a2cf95b55edf0639fa1fd327a699f7bc9848bb62346ee890f1d70a439463ad105f

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
352KB

MD5
df6bc8dd2a9af12337f7412f6088b358

SHA1
4a90e99fd88f3cd85a7e2a18a4ba280d338203dd

SHA256
5c04b27263282beb81994cf0271d86315828309771505252c880bb3f1290ddef

SHA512
d2f64a3c07654662fe884a35dff243c0dff503e3718acc689734b98d5f3e9cedcae16b3b031d53c7e8969168653eb8d9e3d11a71c0375ec28021328efba27135

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
352KB

MD5
16a81867163adfa49f87962f8593cdcf

SHA1
f73c3f7fd6bd1bb1ef5e15cded2b26ab607037f1

SHA256
d38bd6b1562dc55c3f1b69f0cd969a595617a8771e3f7691cabda9b7f0160133

SHA512
50c64514885e0ef7ec3c3c7b0eb24268ad7672435c8f1efc7b0ae3ff8197c99e51a17e10ed65de754b9bf26d6c900a27d444d0a25b8abdb7b11153c1f737db35

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
352KB

MD5
401cf9eac046669b941afa9db086ebf9

SHA1
9a4b99192ad55c413ab8f57c83f8315b6494a244

SHA256
5c73cdbe61c1a60123e640c8739f4fd5510b3f2657e7829bdceb883b260cf55b

SHA512
c8b4ca94cf9cc31a9266f8823257cf034a4ca1ffbc5e36b17da7536da5524da96bbfe8165c728dc86eb65f10f71b0063ef46c9239c98fa98efe2fa5728b46e79

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
352KB

MD5
0ebbb2ad4eec84e96c0736d454806bb6

SHA1
b0a6bdba00201f2437a0721729728a6ca29dcd9d

SHA256
3a6a5ea500612cdc0850c4aad34f31b628279133d9c70ce7942a62aa7e0db3de

SHA512
f0aa57314b90179bb9d25415dc028fd9cf61d8d2f471b8c41b51314bcabad3e3cf90c48139b003184d20e8ced93d85a92c144145162c7483c033255c596d5385

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
352KB

MD5
50b3920e359d2c66e1df99c6247c31a4

SHA1
91987048ecda48d0aa9e4db9abfdd9505d22ae94

SHA256
a492473d55077967dfce285bbb466de9bf5c7190f6168bc25c28f9beaff6ad7b

SHA512
de79f162cd788147b6031e93ad93c3371b56a5f51d3cd9e6dba49b7062cbbc82b165fb872557683a254cdb4ddeb4a2d835bbc98df702a8686aedc5c6eb097e6d

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
352KB

MD5
d5b4a18eabce6a98ea22f711f9254b48

SHA1
3e6a0fdb6372c1e3807b40eb9f1f61696e115da1

SHA256
bbf85fd0da90cb26594974c16441952142788dc5f540d5857728d6d9e0a303d5

SHA512
daf4e7c65d23a40bc79dfbebe36709269411f782685cda030977f5e8f2599d12cefeebd9c6f279ea184a130d02fe309d705bbfe128f2475c2bd1d1df53effd8f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
352KB

MD5
902addffbc54deee4163e7c724917fef

SHA1
a4205e6998b4476bf34703d55a6ff567dfd8d536

SHA256
f05ae0b9dd411ee453d6036d0d1cf27f33a95adfcc28d45cdc3179708b370c8c

SHA512
8cdbaf6fe61ca0a2b383c55ab2410531c33e0db39a9d9544be03678012698fd53f177ae9e7a13868fe676a30c3acbcaeead447e9f5328dcb8830532d1a845f06

Download Submit
memory/436-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/436-287-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/644-271-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/644-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/744-265-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/744-161-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/816-250-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/816-249-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/816-217-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1440-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1440-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1440-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1444-201-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1444-255-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1452-291-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1452-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1492-283-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1492-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1580-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1580-289-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-299-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1704-267-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1968-261-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1968-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2044-281-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2408-251-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2408-224-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2436-244-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2436-241-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-293-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2448-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2668-209-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2668-253-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2916-277-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2916-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-285-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3240-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3240-275-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3420-263-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3420-169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3732-104-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3732-279-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3988-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3988-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4088-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4088-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4132-193-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4132-257-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4204-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4204-233-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4368-269-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4368-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4424-225-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4424-247-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4696-273-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4696-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4704-185-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4704-259-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4732-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4732-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5116-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5116-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads