0376681014d2ccead0ed1dc868edc05b490c902dd62b3c5828409e4eae6844fd

Analysis

max time kernel
104s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e86c775309be9574b7308e024a69c560N.exe
Size

187KB
MD5

e86c775309be9574b7308e024a69c560
SHA1

057885e920a5bbd2d73ca17735415ce96147894d
SHA256

0376681014d2ccead0ed1dc868edc05b490c902dd62b3c5828409e4eae6844fd
SHA512

82f85e23608310b45e299978c17d5cdfaaea055a1fd5ff97472aed657812786cbbed7ef680559a349d0899fca04cd459a6b7e12d1c02f6d5beba10ee71a5313c
SSDEEP

3072:M4DCZFcuJ53a4dGmvejZl2NkzwH5GJks8WYlOWe7VsayDZVZev1N:ne899zwZ9s8SZq/svL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e86c775309be9574b7308e024a69c560N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e86c775309be9574b7308e024a69c560N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe

Executes dropped EXE 31 IoCs

pid	Process
924	Bhhdil32.exe
1332	Bnbmefbg.exe
1764	Bmemac32.exe
2460	Cfmajipb.exe
4800	Cmgjgcgo.exe
396	Cdabcm32.exe
4520	Cfpnph32.exe
4796	Cmiflbel.exe
3040	Ceqnmpfo.exe
3224	Cnicfe32.exe
4120	Cagobalc.exe
2344	Chagok32.exe
1400	Ceehho32.exe
3816	Chcddk32.exe
4680	Cnnlaehj.exe
3700	Cegdnopg.exe
3544	Ddjejl32.exe
3468	Dmcibama.exe
4464	Dejacond.exe
1768	Dhhnpjmh.exe
1096	Dmefhako.exe
4148	Daqbip32.exe
3948	Ddonekbl.exe
2356	Dkifae32.exe
1948	Dmgbnq32.exe
4844	Deokon32.exe
2068	Dhmgki32.exe
3520	Deagdn32.exe
1996	Dhocqigp.exe
440	Dknpmdfc.exe
4960	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	e86c775309be9574b7308e024a69c560N.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	e86c775309be9574b7308e024a69c560N.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	e86c775309be9574b7308e024a69c560N.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2968	4960	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e86c775309be9574b7308e024a69c560N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e86c775309be9574b7308e024a69c560N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 924	2284	e86c775309be9574b7308e024a69c560N.exe	84
PID 2284 wrote to memory of 924	2284	e86c775309be9574b7308e024a69c560N.exe	84
PID 2284 wrote to memory of 924	2284	e86c775309be9574b7308e024a69c560N.exe	84
PID 924 wrote to memory of 1332	924	Bhhdil32.exe	85
PID 924 wrote to memory of 1332	924	Bhhdil32.exe	85
PID 924 wrote to memory of 1332	924	Bhhdil32.exe	85
PID 1332 wrote to memory of 1764	1332	Bnbmefbg.exe	86
PID 1332 wrote to memory of 1764	1332	Bnbmefbg.exe	86
PID 1332 wrote to memory of 1764	1332	Bnbmefbg.exe	86
PID 1764 wrote to memory of 2460	1764	Bmemac32.exe	87
PID 1764 wrote to memory of 2460	1764	Bmemac32.exe	87
PID 1764 wrote to memory of 2460	1764	Bmemac32.exe	87
PID 2460 wrote to memory of 4800	2460	Cfmajipb.exe	88
PID 2460 wrote to memory of 4800	2460	Cfmajipb.exe	88
PID 2460 wrote to memory of 4800	2460	Cfmajipb.exe	88
PID 4800 wrote to memory of 396	4800	Cmgjgcgo.exe	89
PID 4800 wrote to memory of 396	4800	Cmgjgcgo.exe	89
PID 4800 wrote to memory of 396	4800	Cmgjgcgo.exe	89
PID 396 wrote to memory of 4520	396	Cdabcm32.exe	90
PID 396 wrote to memory of 4520	396	Cdabcm32.exe	90
PID 396 wrote to memory of 4520	396	Cdabcm32.exe	90
PID 4520 wrote to memory of 4796	4520	Cfpnph32.exe	91
PID 4520 wrote to memory of 4796	4520	Cfpnph32.exe	91
PID 4520 wrote to memory of 4796	4520	Cfpnph32.exe	91
PID 4796 wrote to memory of 3040	4796	Cmiflbel.exe	93
PID 4796 wrote to memory of 3040	4796	Cmiflbel.exe	93
PID 4796 wrote to memory of 3040	4796	Cmiflbel.exe	93
PID 3040 wrote to memory of 3224	3040	Ceqnmpfo.exe	94
PID 3040 wrote to memory of 3224	3040	Ceqnmpfo.exe	94
PID 3040 wrote to memory of 3224	3040	Ceqnmpfo.exe	94
PID 3224 wrote to memory of 4120	3224	Cnicfe32.exe	95
PID 3224 wrote to memory of 4120	3224	Cnicfe32.exe	95
PID 3224 wrote to memory of 4120	3224	Cnicfe32.exe	95
PID 4120 wrote to memory of 2344	4120	Cagobalc.exe	96
PID 4120 wrote to memory of 2344	4120	Cagobalc.exe	96
PID 4120 wrote to memory of 2344	4120	Cagobalc.exe	96
PID 2344 wrote to memory of 1400	2344	Chagok32.exe	98
PID 2344 wrote to memory of 1400	2344	Chagok32.exe	98
PID 2344 wrote to memory of 1400	2344	Chagok32.exe	98
PID 1400 wrote to memory of 3816	1400	Ceehho32.exe	99
PID 1400 wrote to memory of 3816	1400	Ceehho32.exe	99
PID 1400 wrote to memory of 3816	1400	Ceehho32.exe	99
PID 3816 wrote to memory of 4680	3816	Chcddk32.exe	100
PID 3816 wrote to memory of 4680	3816	Chcddk32.exe	100
PID 3816 wrote to memory of 4680	3816	Chcddk32.exe	100
PID 4680 wrote to memory of 3700	4680	Cnnlaehj.exe	102
PID 4680 wrote to memory of 3700	4680	Cnnlaehj.exe	102
PID 4680 wrote to memory of 3700	4680	Cnnlaehj.exe	102
PID 3700 wrote to memory of 3544	3700	Cegdnopg.exe	103
PID 3700 wrote to memory of 3544	3700	Cegdnopg.exe	103
PID 3700 wrote to memory of 3544	3700	Cegdnopg.exe	103
PID 3544 wrote to memory of 3468	3544	Ddjejl32.exe	104
PID 3544 wrote to memory of 3468	3544	Ddjejl32.exe	104
PID 3544 wrote to memory of 3468	3544	Ddjejl32.exe	104
PID 3468 wrote to memory of 4464	3468	Dmcibama.exe	105
PID 3468 wrote to memory of 4464	3468	Dmcibama.exe	105
PID 3468 wrote to memory of 4464	3468	Dmcibama.exe	105
PID 4464 wrote to memory of 1768	4464	Dejacond.exe	106
PID 4464 wrote to memory of 1768	4464	Dejacond.exe	106
PID 4464 wrote to memory of 1768	4464	Dejacond.exe	106
PID 1768 wrote to memory of 1096	1768	Dhhnpjmh.exe	107
PID 1768 wrote to memory of 1096	1768	Dhhnpjmh.exe	107
PID 1768 wrote to memory of 1096	1768	Dhhnpjmh.exe	107
PID 1096 wrote to memory of 4148	1096	Dmefhako.exe	108

C:\Users\Admin\AppData\Local\Temp\e86c775309be9574b7308e024a69c560N.exe
"C:\Users\Admin\AppData\Local\Temp\e86c775309be9574b7308e024a69c560N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\Bnbmefbg.exe
    C:\Windows\system32\Bnbmefbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\Bmemac32.exe
      C:\Windows\system32\Bmemac32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 408
        33⤵
        Program crash
        
        PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4960 -ip 4960
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
187KB

MD5
326e63b9e502db0a32c1bcb4dc883450

SHA1
2e40448b25af596b2f2bebd398fcb6894199eb88

SHA256
73509b6ef4b78e3cfe1440cf314825f65f411ae22278058d880df7f4108b49bf

SHA512
8fdacd48c3cf2e7137f71e34ca1462a06eea61c2eff7e6d5f3d773295a5d470e252449f43f8f509cc0d6191c5733144ee41cb0b46444499616431ea5955acbc6

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
187KB

MD5
4117b0651aeec446fc939b25c6bf05e2

SHA1
65f9c51fddd63d7af2d999da1496a34d17c62824

SHA256
3a80c6bcfd36092f728c0e1cd496d46b97bb8cd5637c28f006ea177743946718

SHA512
57374506e9e6e2d315a31a8ccee72bfe7e1fedd6ccf00d45c07391f775fc2ebd8323e88a50b3f0f0f0975ce78b39448e32836800ee242f8c055ef4f39a9e791b

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
187KB

MD5
e9210ecf8ac04a2e128688b61eba6063

SHA1
b685cc41b58dfc448bddd4bcf3bf0d8101bc14ce

SHA256
820e923caf6749aa576e3a997978b27523f2aaa092d8afb1a617a05131386e58

SHA512
ae7c596e188e708b1f406cb74126d46efb3ee8afee95b3abde349c6f5bdd8763710e332893842935638cb97ffaf1051bffcb41ccd5514de6c40054cf8bdb2751

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
187KB

MD5
63efd0bfe4325442a04d81877e01d6ae

SHA1
6807005f57d2382503ecd5486efe96303c231c2a

SHA256
8d9f01554836b46b275e1c0a825398e08240c182cbf8569e59bc9048a64f95c4

SHA512
d9765dc2cfc82fb945da7a0f61f7ba92b66ec1b4059ebe480acfae3e4f3e58129d365c17c43992b57189fefc9dcd6ee4b211fee90e0af3169df7d37c75dbf47e

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
187KB

MD5
ac665f7f90234e5e4937c0a5c4c793e8

SHA1
611cad3dc58881a5d2dfabb8fcc9c75e0fbadc7f

SHA256
62619826c893b55d8a74a4e9b7b02d8480339e2c62d4afe96b23199963a87914

SHA512
ffb675650734cc1a8acc721bc9533007214b9faae0f73b7f8327617e1f77f2e8a4fc66c719831d0bacbf339d32a36e234af3dbf4bf6604597201d1dba2786c1f

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
187KB

MD5
9d6d2e3d80f1666ac390c261dd35ae5e

SHA1
357725ea4c00a2f1b17203590c3ffe1df8a77ce8

SHA256
d00663ad6739c337817430def070377df5979058442cfe0366709d3ffed02da3

SHA512
0e6f4ddda4c8ff23bd36fee3d613e4e4c5a3c1b38f09ff66acd4d09ab6a2bcbf95a225ee993dc735bcc1999316630ee8145a1943850841ab69baba5d0eee42c9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
187KB

MD5
cc3c760c756bb2d7c0ad46c0484cfa27

SHA1
c72f861700c1474cc950aa6e6e3abe6a6653d265

SHA256
2bc503c40e7fa1a9d8562212216356bf50adbd7c12411889f38c8c89af7c48a3

SHA512
7cd3ab1eded91ec1466cc12816cfa3d3e98548e4fa0fe0ee8645d94a40697ac6556d7c9d92cef2b8a7724c2b9b23302ba03083354d8db348a0295623b96a4a39

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
187KB

MD5
c704bdd1128b21ad8bf87fd5306e107b

SHA1
e573e0dbe93f2795f8f59ca06a2fdaec5daa4638

SHA256
db7cf8ca6b5510576c187a0c33859c16a3bb1e4aae8afb8cd0d5156feacb1ad3

SHA512
66c04b7667465db117ce85bb2420107c104e749595f165a85bdd248e45d096ac31a5c7ea5493f6ac450dd5aa17d758b278de442695d5b747aeb97cfc6b89f6dc

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
187KB

MD5
834b2f45e54857a0c26cbf7549c06aeb

SHA1
4bf5f3240e2d64078e6168c64c8d0c816f3f8a86

SHA256
bc205b251f9fb8ef5ab9a02a178649ca365e5b483a03f064f41b6798c5c921cb

SHA512
23917f193ead2b5547193a569eed8bf5b8419ed5a0390008b11a5d0a791da3cd1561f5a0d732fc3a3ed8e0bf577a8a9c3d40f3aa3a13404fafad5995430f849a

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
187KB

MD5
2756231500da64e0b606347e4b055a0e

SHA1
eb51d3a7d450a42daad2bb18ad95622e213ae222

SHA256
5d38ab2837ac9a4222695c1d0e07f6df759dd901937e8bf9b0a4101c73ab3f1f

SHA512
57797504e5cab4f85301ed8de2b519a0c6bd738bd911180e13584998a273120f03b3bc3c71f905e318487e4cc31e71615349b7b98a77444fe3eeea65cf46652e

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
187KB

MD5
5d24fbdbce92d733a68f4713433638da

SHA1
0ce32488a3fff5b6baf207d7b4a3a6556158aebe

SHA256
56a49b879e20dd2b53a1a9afd6fc125c43531a1890bebb3ad12fa2ff4a8ecb6e

SHA512
606dfdf9ceef7146e17e9826386b1e4602db35a24ebe52899738081a760aaeabc23ad5f15a7da5507ca7b3bf14b776b724102eabcdb2c24397ce60efe2ba9b8b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
187KB

MD5
a186e7be7116abbfea50322d5dd74c9f

SHA1
ace4a7b76b8efcdfa1aa5dabb269645d37a807f5

SHA256
cd8daa2259dc0a4ff4a2a406f857a573c561f040368cbb2bf2361ca015ae64ca

SHA512
3845f039d7e17f2b17e66505a27a4930590dd3e448f42f421203781b5aee7e8fe9e4f15c786b791626ca4f36f1971504e4f156447a1002ec38aca2acf88060b4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
187KB

MD5
22d75ea7bb3b2f13bd957dedad3ee056

SHA1
633b5444fe8d06df52c79fcd4643f399681246b9

SHA256
58d758ced61f10d1fa268bd7ab0e27aff5912156ac2ddb42f3975c1592c93daf

SHA512
1fbc35e7d442d722061e0fd0b1a6bf5a4a35b6dd94130b080ebbb180138ba2fd75f724d071520905d9a0cbc2a508ea149566164614623e2d906d56df85277d7f

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
187KB

MD5
539605faa3d2bd5c4593a53e523de986

SHA1
4cf4cbe08d3a01c0e19470d9fdb054ddce7b7644

SHA256
7aa344c6fc6667dde585ac69ad26ca7a2367b22cda5f60915c17d6de3c4bdade

SHA512
419dee70f7e0aeec8fd9d579b3cf29e5524bf5e431aa627b04e9aba964a21d7243a1a13cc273cf5974f73b2d70d8898c6fa7989f7eb31ab4ac1462f570825003

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
187KB

MD5
a286f04fc13f8783cb157154727bd3bf

SHA1
839fdb827c8b5be2c0bb4c20dc9b71ea76dfcf3e

SHA256
89b27cc9ba058a1c880adf871091fe0bf595b4b8f22d722420cdc6b061e588b1

SHA512
2d6319efccf40b5c36fed6113e31390ac800e4eb034124470720b4ea8c3d7d757bd7c78beaa8184faf579400afb3ba68115f612c3e06d55be83fa3c31b1c54c6

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
187KB

MD5
08e7bc42225c14cd565c55131b0f1f93

SHA1
444dc3d6f539d50d8e0eaacc24a6d18b471d6459

SHA256
20971d7c00588ee8fc7057d4a6959df105a856e75cc86ed6ad6e57f0e14ebde7

SHA512
46dd50447e652b0615176ed279af5e23c755259fb4debff9425c74daf393d64daa1fb5cd4479444b0d1aaeaa04d530ac769d30165753aaeacdd29b338c8a3090

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
187KB

MD5
c261993211152b172cd713e44ca8c723

SHA1
94e51c553ed132b1c96aafbc36da96c999b0dd76

SHA256
8fd615dbce0912ede0b95fe5c6412dec4c7df3c7ba5ff37e04fd71d9b66ac385

SHA512
33216dc6d510e4d8f24e016570a65d697413b91fa466a597fab90984dd1b703ecaeb41e5e25ba2689517a23a028c7d832503fef9abb6a4538cb85492f178b45f

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
187KB

MD5
525776c432a3028baaf10e6a215c422d

SHA1
7ea8aff44a2b26b410a79af61fd8410961d830cf

SHA256
59c5f0b5f74785e71e76917b46ecd122d2debd2e3e46fd1ba6a2ba29600edf9f

SHA512
649191432d1df88242ebd503d60c68d7885e606339c22963608b0b42a1ab053f51e312e094228c8d06607b2c821c969807b52d895b08898243a79c7955d2f9ee

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
187KB

MD5
d369df35de0fb872be01b01e5cfce7f7

SHA1
5e63dd37d2b2c99c3b4e2a7b2a98d28219aa2a34

SHA256
67abd1d9c0e646bd5ab4532cc056fd2648c161884f579a718c461b8a62f9ca93

SHA512
9a2e733ad025edff983b2ce2f20f09a73dd46bd31cd37e57e964042431380b1c773517a1ab32d178be6a9a7b34610423322b43cb191223d59ead09be5aaaf68e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
187KB

MD5
9fa159c2cbce7efbd938bcb48e81d4e1

SHA1
dbca9e7bdaeb1ddcaf7b181bddb887cac952dc11

SHA256
de5bda3240dfb0dbc2629554ac74173ab20093e8dd24204ae473105f14244c23

SHA512
b0409d7e03be3f8de26e32e525147df3a6ae5a8fe52ef0f8f676ff5abcf93b55abfb55f30661cb41254288c6625672070b554f2336e8cb4de30dc66a57714445

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
187KB

MD5
e316a8cda78993fb6caa56a814a56ed9

SHA1
26a1ba699254eec276470ce52df0d7ec9847814a

SHA256
954bdc8cc02e1d18e1ee9f78b0dc556b47a3f99fb096dbb2016512d5ed4de560

SHA512
849b67fc5c5cb45f8b1f7cc2ebbee785582ce2b243234aff07f82887c9d47562513264e161474430f7a7b0421fdd13aa6bf77709a02a6cde09586f023af95db1

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
187KB

MD5
346b1a81b808e2633befe330dcd5bb43

SHA1
d3b8a30f267617cc43989fa6d73cd0e5ab88061d

SHA256
f656e9bb25a06c086b633170df0e9fd0600ffea66a221e8743a79d3234938756

SHA512
559b56a02f66ab26ee76e891a5c9e4e06552bfe627f3f784e45774fb66305baa20d6e5472492da200f281d3ca772924fa8391d6bdc4e79411b25d968c7bbf17a

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
187KB

MD5
16cb4dac88d66859f3a3d655ec88e191

SHA1
f8b8eb23984f06e308dd78d2c4dca33829610a7a

SHA256
3edda1a120fa49744d2762c4f62b52324c2cc464f6120eccedb7556f322080f8

SHA512
470728d71802c72abcb76e5dbc763631e71c4e268800c13dc95d4d9d610238cdb438d43f6eeb64879e9e9e5a09d44bea635f1ead64137ea74d88d93f3671f216

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
187KB

MD5
80fc803d0c07ca3a4fa03a9dcb362b74

SHA1
315df895052558fbedfe322414bfd2f4d8a50184

SHA256
342128d64d3fc8b173d8b4251edaf6112047b2beb64afb2895deda716d711b85

SHA512
cbc1d5b8ef8211b88323676049e7a8693ae112691306ce18fd49ef21c8848fc9e55b67cc296f6a5379f35692fefb49449ae4517197ca10136d9ab1164715ccd2

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
187KB

MD5
694d749ae98024693a5201019a2de392

SHA1
d2507f6efaa68dbf669b67f0dfb3e237f9da9a86

SHA256
3f3c87adafcdf07c28b65e9260bf09c0130383b0b0520c613b0c4f47f6d03e06

SHA512
8cf6600a541beb8a5529209391afa4c19afc43bf00eb6b93ecbf1d2d14f811b3d7f691ab18e55b7d7ba3969b69c1c0e59be5527fd2d367dae73c7115f1716cf2

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
187KB

MD5
a98dde2e5b5bcc496177256aaf37f950

SHA1
5d2774da88fee69497bcfe538eff008bbdd7121a

SHA256
1cf721d8cf10c08fde69360b0287337a8d038a9c950726dd2ba56c72aab4c19e

SHA512
e8fb515ff4f3207ab0fe65191b9ef1dd3b55f0c46af2a5b2d9933959ebf243c4c68e101426253079f00862d09b6403b5729c5924ff5708ae72758de8f13eadad

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
187KB

MD5
4dc801bdf5470199de900ab8852da46c

SHA1
c65c001f3be6464137b2dd7112695898f0b2e3e9

SHA256
d055606367749f3477ac4e8a5c6e9cd8c54bdcf24fcf895cdafbb685a6272b8b

SHA512
8f429b86f24ae47f77ff0dc299f7a2265414200f419b06d868a2fd03e8dc3b448872addfdaae9987048fea077f296a6cbb7f03f564257e38c098dda9af6909c8

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
187KB

MD5
2d9a99dc2b23a1cbcfce14fe73dd22ea

SHA1
531feea24996b1be905c37d871d598c154d7629a

SHA256
497cccabb331c11609b7f4fd1dd207789b88e0bd77157da0790428362c7e8115

SHA512
f0334970e00663aec3952c1293e955937464f3bd935dc0471cd9bd29316e7b04944d968c3ecfec798c945002a5dce977e37561185d2370375b7dfa474709874f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
187KB

MD5
7b940f5489499dcf317fa4d34b0b4700

SHA1
d61929eb1e5a5cabf36f012e79bacff90bb15a16

SHA256
8afbc77df23d9cca1f51133832aa87627c808b2744f72c767a2595b40afe1e7f

SHA512
bdca774cbdfcc1128f4ddec6eda5d48d38804bde7937bf63cbe0d10b2771fa530d27953887545b866726cacf27ae89242d116e7f8688aeb132362b0fc786f5b6

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
187KB

MD5
f31f8d7db09c2b39482ebac9c7640dbf

SHA1
66b9d6f872799d4c179bea315213882f0cc738ae

SHA256
7d5d32807f8d920285937f068b1b637d0f2290faeaa4751134540d168595df1e

SHA512
edf9f08b309f585670bc55b529d02fced68be704f30d49fa7f47a472e292c7f76e47b6c42531cf49d599175652ebbb5f8b32a599b5599f40e9b2fd1642bed5c7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
187KB

MD5
eb0f556cc7b81d4e4b7a0b94669e19e2

SHA1
24846dc92ec505f6c8ba22a1dc9f9131bb6a2282

SHA256
299109f7a5bc38a9a746d440d502ddb2c2a8229438df9888fb543e4f05d25af6

SHA512
7e1388bf678f7ca05cd8669850a92b859f2d4caa00dfef0df72503492be1d7cd6d5323762a3a386fe29c2c96b4a8fe168b8b91539d8a753642fb7a4a02f3804f

Download Submit
C:\Windows\SysWOW64\Hjfhhm32.dll

Filesize
7KB

MD5
3fdef5d34508f4c67ee9380b22d2b89e

SHA1
b0244444f5c20a01040cf0ac499e4624c60a775d

SHA256
2fdcf01a357fe96d35e8ed3158ee6c205d039c15bc59952e06584fad68f73f2a

SHA512
82cf66bbcedb0f216c696308ef4da0728f5dd11ce4c8dd55c4b4516c45eb9be34876487dc1627bcb23234bbaebdb00a7641ba66ed21b48541a65074c34a43fce

Download Submit
memory/396-271-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/924-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/924-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1764-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1764-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3224-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3224-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3520-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3520-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3544-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3544-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3700-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3700-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4120-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4120-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4148-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads