1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3

Analysis

max time kernel
141s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Size

55KB
MD5

55d579e962f2e0cd17c34b46894b9b75
SHA1

1d9a17c464a6ec6721d2bd9de24818b9601a88a1
SHA256

1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3
SHA512

e4253be5346677761a4a07c9a68c1eea59cd02a5067208e2d2eeaf936d6e8b8e51251b58847ba8159bc865c0bfd9fd3a795d295387bd271ced29a6575965a4a7
SSDEEP

1536:WuMLJJzgrQTBJ1Io94jyzTVLNSoNSd0A3shxD6:veP1I4zTVLNXNW0A8hh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmmkdkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chhbpfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmofeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcfmfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dicann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggbgadf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfncbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcackdio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlkhn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhekfeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbpcbo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biahijec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blodefdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcackdio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmoaoikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmoaoikj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdapjglj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcfmfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behinlkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppjadhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckndmaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfncbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalfdjdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcgik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Celbik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbhlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmofeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglkba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckkhga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemfjgdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behinlkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbnfmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dicann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdapjglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dalfdjdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjlkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blodefdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmmkdkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cejfckie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmecokhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe

Executes dropped EXE 48 IoCs

pid	Process
1208	Bkdbab32.exe
2576	Bemfjgdg.exe
2892	Bfncbp32.exe
2696	Bacgohjk.exe
2708	Bcackdio.exe
2736	Bjlkhn32.exe
1916	Baecehhh.exe
2516	Bcdpacgl.exe
2604	Bfblmofp.exe
3064	Biahijec.exe
2732	Blodefdg.exe
2980	Bcfmfc32.exe
1660	Behinlkh.exe
1144	Bmoaoikj.exe
2764	Cpmmkdkn.exe
2188	Cbljgpja.exe
532	Cejfckie.exe
736	Chhbpfhi.exe
2428	Cppjadhk.exe
2136	Cbnfmo32.exe
2264	Celbik32.exe
2748	Chkoef32.exe
636	Cjikaa32.exe
1180	Cbpcbo32.exe
1740	Ceoooj32.exe
2352	Cdapjglj.exe
2900	Ckkhga32.exe
1112	Cmjdcm32.exe
2700	Caepdk32.exe
2656	Cfbhlb32.exe
2832	Ckndmaad.exe
1356	Coiqmp32.exe
1476	Dfdeab32.exe
1640	Dkpabqoa.exe
2752	Dicann32.exe
3004	Ddhekfeb.exe
876	Dggbgadf.exe
1840	Dalfdjdl.exe
1676	Dkekmp32.exe
2200	Dmcgik32.exe
2100	Ddmofeam.exe
756	Dglkba32.exe
2552	Denknngk.exe
1920	Dmecokhm.exe
2184	Dogpfc32.exe
1308	Deahcneh.exe
2596	Dlkqpg32.exe
2372	Eceimadb.exe

Loads dropped DLL 64 IoCs

pid	Process
1720	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
1720	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
1208	Bkdbab32.exe
1208	Bkdbab32.exe
2576	Bemfjgdg.exe
2576	Bemfjgdg.exe
2892	Bfncbp32.exe
2892	Bfncbp32.exe
2696	Bacgohjk.exe
2696	Bacgohjk.exe
2708	Bcackdio.exe
2708	Bcackdio.exe
2736	Bjlkhn32.exe
2736	Bjlkhn32.exe
1916	Baecehhh.exe
1916	Baecehhh.exe
2516	Bcdpacgl.exe
2516	Bcdpacgl.exe
2604	Bfblmofp.exe
2604	Bfblmofp.exe
3064	Biahijec.exe
3064	Biahijec.exe
2732	Blodefdg.exe
2732	Blodefdg.exe
2980	Bcfmfc32.exe
2980	Bcfmfc32.exe
1660	Behinlkh.exe
1660	Behinlkh.exe
1144	Bmoaoikj.exe
1144	Bmoaoikj.exe
2764	Cpmmkdkn.exe
2764	Cpmmkdkn.exe
2188	Cbljgpja.exe
2188	Cbljgpja.exe
532	Cejfckie.exe
532	Cejfckie.exe
736	Chhbpfhi.exe
736	Chhbpfhi.exe
2428	Cppjadhk.exe
2428	Cppjadhk.exe
2136	Cbnfmo32.exe
2136	Cbnfmo32.exe
2264	Celbik32.exe
2264	Celbik32.exe
2748	Chkoef32.exe
2748	Chkoef32.exe
636	Cjikaa32.exe
636	Cjikaa32.exe
1180	Cbpcbo32.exe
1180	Cbpcbo32.exe
1740	Ceoooj32.exe
1740	Ceoooj32.exe
2352	Cdapjglj.exe
2352	Cdapjglj.exe
2900	Ckkhga32.exe
2900	Ckkhga32.exe
1112	Cmjdcm32.exe
1112	Cmjdcm32.exe
2700	Caepdk32.exe
2700	Caepdk32.exe
2656	Cfbhlb32.exe
2656	Cfbhlb32.exe
2832	Ckndmaad.exe
2832	Ckndmaad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Paebkkhn.dll	Cmjdcm32.exe
File created	C:\Windows\SysWOW64\Ddmofeam.exe	Dmcgik32.exe
File opened for modification	C:\Windows\SysWOW64\Denknngk.exe	Dglkba32.exe
File opened for modification	C:\Windows\SysWOW64\Baecehhh.exe	Bjlkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpmmkdkn.exe	Bmoaoikj.exe
File created	C:\Windows\SysWOW64\Hnnacgdn.dll	Cejfckie.exe
File opened for modification	C:\Windows\SysWOW64\Dlkqpg32.exe	Deahcneh.exe
File opened for modification	C:\Windows\SysWOW64\Bkdbab32.exe	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
File created	C:\Windows\SysWOW64\Omjkkb32.dll	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
File opened for modification	C:\Windows\SysWOW64\Bemfjgdg.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Baecehhh.exe	Bjlkhn32.exe
File created	C:\Windows\SysWOW64\Dfdeab32.exe	Coiqmp32.exe
File created	C:\Windows\SysWOW64\Ddhekfeb.exe	Dicann32.exe
File created	C:\Windows\SysWOW64\Celbik32.exe	Cbnfmo32.exe
File created	C:\Windows\SysWOW64\Chkoef32.exe	Celbik32.exe
File created	C:\Windows\SysWOW64\Mepmffng.dll	Cbpcbo32.exe
File created	C:\Windows\SysWOW64\Caepdk32.exe	Cmjdcm32.exe
File created	C:\Windows\SysWOW64\Dglkba32.exe	Ddmofeam.exe
File created	C:\Windows\SysWOW64\Deahcneh.exe	Dogpfc32.exe
File created	C:\Windows\SysWOW64\Bcackdio.exe	Bacgohjk.exe
File created	C:\Windows\SysWOW64\Bcdpacgl.exe	Baecehhh.exe
File created	C:\Windows\SysWOW64\Npgphdfm.dll	Blodefdg.exe
File opened for modification	C:\Windows\SysWOW64\Cppjadhk.exe	Chhbpfhi.exe
File opened for modification	C:\Windows\SysWOW64\Ckndmaad.exe	Cfbhlb32.exe
File created	C:\Windows\SysWOW64\Nkpbdj32.dll	Dmecokhm.exe
File opened for modification	C:\Windows\SysWOW64\Bcdpacgl.exe	Baecehhh.exe
File opened for modification	C:\Windows\SysWOW64\Bmoaoikj.exe	Behinlkh.exe
File created	C:\Windows\SysWOW64\Cmjdcm32.exe	Ckkhga32.exe
File created	C:\Windows\SysWOW64\Kbqgpc32.dll	Dfdeab32.exe
File opened for modification	C:\Windows\SysWOW64\Dggbgadf.exe	Ddhekfeb.exe
File created	C:\Windows\SysWOW64\Dalfdjdl.exe	Dggbgadf.exe
File created	C:\Windows\SysWOW64\Blodefdg.exe	Biahijec.exe
File opened for modification	C:\Windows\SysWOW64\Cejfckie.exe	Cbljgpja.exe
File opened for modification	C:\Windows\SysWOW64\Cjikaa32.exe	Chkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Cdapjglj.exe	Ceoooj32.exe
File opened for modification	C:\Windows\SysWOW64\Dglkba32.exe	Ddmofeam.exe
File created	C:\Windows\SysWOW64\Pjmbgjea.dll	Cbljgpja.exe
File created	C:\Windows\SysWOW64\Eapnjioj.dll	Cjikaa32.exe
File created	C:\Windows\SysWOW64\Polcapil.dll	Ceoooj32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpabqoa.exe	Dfdeab32.exe
File created	C:\Windows\SysWOW64\Bfblmofp.exe	Bcdpacgl.exe
File opened for modification	C:\Windows\SysWOW64\Chkoef32.exe	Celbik32.exe
File created	C:\Windows\SysWOW64\Cifoem32.dll	Deahcneh.exe
File opened for modification	C:\Windows\SysWOW64\Blodefdg.exe	Biahijec.exe
File created	C:\Windows\SysWOW64\Fhdaigqo.dll	Bcfmfc32.exe
File created	C:\Windows\SysWOW64\Bmoaoikj.exe	Behinlkh.exe
File created	C:\Windows\SysWOW64\Cjikaa32.exe	Chkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Dicann32.exe	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Bblehg32.dll	Dmcgik32.exe
File created	C:\Windows\SysWOW64\Hiopiqpb.dll	Bfblmofp.exe
File created	C:\Windows\SysWOW64\Eodpobjn.dll	Chhbpfhi.exe
File opened for modification	C:\Windows\SysWOW64\Cmjdcm32.exe	Ckkhga32.exe
File created	C:\Windows\SysWOW64\Flnjii32.dll	Caepdk32.exe
File created	C:\Windows\SysWOW64\Eijhgopb.dll	Cfbhlb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfdeab32.exe	Coiqmp32.exe
File created	C:\Windows\SysWOW64\Cejfckie.exe	Cbljgpja.exe
File created	C:\Windows\SysWOW64\Mjijeh32.dll	Ddhekfeb.exe
File created	C:\Windows\SysWOW64\Kcclakie.dll	Dggbgadf.exe
File created	C:\Windows\SysWOW64\Dogpfc32.exe	Dmecokhm.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Dlkqpg32.exe
File created	C:\Windows\SysWOW64\Hcenpoif.dll	Bcackdio.exe
File opened for modification	C:\Windows\SysWOW64\Ddhekfeb.exe	Dicann32.exe
File opened for modification	C:\Windows\SysWOW64\Bfncbp32.exe	Bemfjgdg.exe
File created	C:\Windows\SysWOW64\Dicann32.exe	Dkpabqoa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2904	2372	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmmkdkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppjadhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggbgadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmoaoikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceoooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogpfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfblmofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cejfckie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhekfeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbljgpja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjikaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dicann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjlkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmofeam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdeab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpabqoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkekmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmecokhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behinlkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbnfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbhlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coiqmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcdpacgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkqpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkhga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckndmaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcgik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemfjgdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celbik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deahcneh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biahijec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baecehhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdapjglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfncbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caepdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalfdjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcackdio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbpcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkdbab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacgohjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blodefdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcfmfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhbpfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Denknngk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcackdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjlkhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdapjglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckndmaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Denknngk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baecehhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klheoobo.dll"	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckkhga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmecokhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dlkqpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beboid32.dll"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnacgdn.dll"	Cejfckie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenpoif.dll"	Bcackdio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coiqmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjijeh32.dll"	Ddhekfeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baecehhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdaigqo.dll"	Bcfmfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmoaoikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll"	Chkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhekfeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kelddd32.dll"	Ddmofeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodpobjn.dll"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chhbpfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfepid.dll"	Denknngk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbljgpja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbpcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcophb32.dll"	Ckndmaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfncbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcfmfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmmkdkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmaimj32.dll"	Bjlkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbhlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckndmaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deahcneh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacgohjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paebkkhn.dll"	Cmjdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcfmfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmoaoikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdapjglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coiqmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgphdfm.dll"	Blodefdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmbgjea.dll"	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaeaa32.dll"	Ckkhga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnjii32.dll"	Caepdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmecokhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemfepee.dll"	Behinlkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblehg32.dll"	Dmcgik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggbgadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaclkmid.dll"	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaggmmfa.dll"	Bemfjgdg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1208	1720	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe	30
PID 1720 wrote to memory of 1208	1720	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe	30
PID 1720 wrote to memory of 1208	1720	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe	30
PID 1720 wrote to memory of 1208	1720	1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe	30
PID 1208 wrote to memory of 2576	1208	Bkdbab32.exe	31
PID 1208 wrote to memory of 2576	1208	Bkdbab32.exe	31
PID 1208 wrote to memory of 2576	1208	Bkdbab32.exe	31
PID 1208 wrote to memory of 2576	1208	Bkdbab32.exe	31
PID 2576 wrote to memory of 2892	2576	Bemfjgdg.exe	32
PID 2576 wrote to memory of 2892	2576	Bemfjgdg.exe	32
PID 2576 wrote to memory of 2892	2576	Bemfjgdg.exe	32
PID 2576 wrote to memory of 2892	2576	Bemfjgdg.exe	32
PID 2892 wrote to memory of 2696	2892	Bfncbp32.exe	33
PID 2892 wrote to memory of 2696	2892	Bfncbp32.exe	33
PID 2892 wrote to memory of 2696	2892	Bfncbp32.exe	33
PID 2892 wrote to memory of 2696	2892	Bfncbp32.exe	33
PID 2696 wrote to memory of 2708	2696	Bacgohjk.exe	34
PID 2696 wrote to memory of 2708	2696	Bacgohjk.exe	34
PID 2696 wrote to memory of 2708	2696	Bacgohjk.exe	34
PID 2696 wrote to memory of 2708	2696	Bacgohjk.exe	34
PID 2708 wrote to memory of 2736	2708	Bcackdio.exe	35
PID 2708 wrote to memory of 2736	2708	Bcackdio.exe	35
PID 2708 wrote to memory of 2736	2708	Bcackdio.exe	35
PID 2708 wrote to memory of 2736	2708	Bcackdio.exe	35
PID 2736 wrote to memory of 1916	2736	Bjlkhn32.exe	36
PID 2736 wrote to memory of 1916	2736	Bjlkhn32.exe	36
PID 2736 wrote to memory of 1916	2736	Bjlkhn32.exe	36
PID 2736 wrote to memory of 1916	2736	Bjlkhn32.exe	36
PID 1916 wrote to memory of 2516	1916	Baecehhh.exe	37
PID 1916 wrote to memory of 2516	1916	Baecehhh.exe	37
PID 1916 wrote to memory of 2516	1916	Baecehhh.exe	37
PID 1916 wrote to memory of 2516	1916	Baecehhh.exe	37
PID 2516 wrote to memory of 2604	2516	Bcdpacgl.exe	38
PID 2516 wrote to memory of 2604	2516	Bcdpacgl.exe	38
PID 2516 wrote to memory of 2604	2516	Bcdpacgl.exe	38
PID 2516 wrote to memory of 2604	2516	Bcdpacgl.exe	38
PID 2604 wrote to memory of 3064	2604	Bfblmofp.exe	39
PID 2604 wrote to memory of 3064	2604	Bfblmofp.exe	39
PID 2604 wrote to memory of 3064	2604	Bfblmofp.exe	39
PID 2604 wrote to memory of 3064	2604	Bfblmofp.exe	39
PID 3064 wrote to memory of 2732	3064	Biahijec.exe	40
PID 3064 wrote to memory of 2732	3064	Biahijec.exe	40
PID 3064 wrote to memory of 2732	3064	Biahijec.exe	40
PID 3064 wrote to memory of 2732	3064	Biahijec.exe	40
PID 2732 wrote to memory of 2980	2732	Blodefdg.exe	41
PID 2732 wrote to memory of 2980	2732	Blodefdg.exe	41
PID 2732 wrote to memory of 2980	2732	Blodefdg.exe	41
PID 2732 wrote to memory of 2980	2732	Blodefdg.exe	41
PID 2980 wrote to memory of 1660	2980	Bcfmfc32.exe	42
PID 2980 wrote to memory of 1660	2980	Bcfmfc32.exe	42
PID 2980 wrote to memory of 1660	2980	Bcfmfc32.exe	42
PID 2980 wrote to memory of 1660	2980	Bcfmfc32.exe	42
PID 1660 wrote to memory of 1144	1660	Behinlkh.exe	43
PID 1660 wrote to memory of 1144	1660	Behinlkh.exe	43
PID 1660 wrote to memory of 1144	1660	Behinlkh.exe	43
PID 1660 wrote to memory of 1144	1660	Behinlkh.exe	43
PID 1144 wrote to memory of 2764	1144	Bmoaoikj.exe	44
PID 1144 wrote to memory of 2764	1144	Bmoaoikj.exe	44
PID 1144 wrote to memory of 2764	1144	Bmoaoikj.exe	44
PID 1144 wrote to memory of 2764	1144	Bmoaoikj.exe	44
PID 2764 wrote to memory of 2188	2764	Cpmmkdkn.exe	45
PID 2764 wrote to memory of 2188	2764	Cpmmkdkn.exe	45
PID 2764 wrote to memory of 2188	2764	Cpmmkdkn.exe	45
PID 2764 wrote to memory of 2188	2764	Cpmmkdkn.exe	45

C:\Users\Admin\AppData\Local\Temp\1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe
"C:\Users\Admin\AppData\Local\Temp\1f174ac3579209035ec381bbdd88ead707451f5cb3f36d03fed594fd06ce2eb3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\Bkdbab32.exe
  C:\Windows\system32\Bkdbab32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\Bemfjgdg.exe
    C:\Windows\system32\Bemfjgdg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\Bfncbp32.exe
      C:\Windows\system32\Bfncbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\Bacgohjk.exe
        
        C:\Windows\system32\Bacgohjk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Bcackdio.exe
        
        C:\Windows\system32\Bcackdio.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Bjlkhn32.exe
        
        C:\Windows\system32\Bjlkhn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Baecehhh.exe
        
        C:\Windows\system32\Baecehhh.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Bcdpacgl.exe
        
        C:\Windows\system32\Bcdpacgl.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Bfblmofp.exe
        
        C:\Windows\system32\Bfblmofp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Biahijec.exe
        
        C:\Windows\system32\Biahijec.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Blodefdg.exe
        
        C:\Windows\system32\Blodefdg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Bcfmfc32.exe
        
        C:\Windows\system32\Bcfmfc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Behinlkh.exe
        
        C:\Windows\system32\Behinlkh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Bmoaoikj.exe
        
        C:\Windows\system32\Bmoaoikj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Cpmmkdkn.exe
        
        C:\Windows\system32\Cpmmkdkn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Cbljgpja.exe
        
        C:\Windows\system32\Cbljgpja.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Cejfckie.exe
        
        C:\Windows\system32\Cejfckie.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Chhbpfhi.exe
        
        C:\Windows\system32\Chhbpfhi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Cppjadhk.exe
        
        C:\Windows\system32\Cppjadhk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Cbnfmo32.exe
        
        C:\Windows\system32\Cbnfmo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Celbik32.exe
        
        C:\Windows\system32\Celbik32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Chkoef32.exe
        
        C:\Windows\system32\Chkoef32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cjikaa32.exe
        
        C:\Windows\system32\Cjikaa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Cbpcbo32.exe
        
        C:\Windows\system32\Cbpcbo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Ceoooj32.exe
        
        C:\Windows\system32\Ceoooj32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Cdapjglj.exe
        
        C:\Windows\system32\Cdapjglj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Ckkhga32.exe
        
        C:\Windows\system32\Ckkhga32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Cmjdcm32.exe
        
        C:\Windows\system32\Cmjdcm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Caepdk32.exe
        
        C:\Windows\system32\Caepdk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cfbhlb32.exe
        
        C:\Windows\system32\Cfbhlb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Ckndmaad.exe
        
        C:\Windows\system32\Ckndmaad.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Coiqmp32.exe
        
        C:\Windows\system32\Coiqmp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Dfdeab32.exe
        
        C:\Windows\system32\Dfdeab32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Dkpabqoa.exe
        
        C:\Windows\system32\Dkpabqoa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Dicann32.exe
        
        C:\Windows\system32\Dicann32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Ddhekfeb.exe
        
        C:\Windows\system32\Ddhekfeb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dggbgadf.exe
        
        C:\Windows\system32\Dggbgadf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Dalfdjdl.exe
        
        C:\Windows\system32\Dalfdjdl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Dkekmp32.exe
        
        C:\Windows\system32\Dkekmp32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dmcgik32.exe
        
        C:\Windows\system32\Dmcgik32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ddmofeam.exe
        
        C:\Windows\system32\Ddmofeam.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Dglkba32.exe
        
        C:\Windows\system32\Dglkba32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Denknngk.exe
        
        C:\Windows\system32\Denknngk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Dmecokhm.exe
        
        C:\Windows\system32\Dmecokhm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Dogpfc32.exe
        
        C:\Windows\system32\Dogpfc32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Deahcneh.exe
        
        C:\Windows\system32\Deahcneh.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Dlkqpg32.exe
        
        C:\Windows\system32\Dlkqpg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 140
        50⤵
        Program crash
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bemfjgdg.exe

Filesize
55KB

MD5
27592d3c7c7c98a5fb450766bbcf7d9b

SHA1
47f5723702cd76f846a366cdf42d4dcee15f54e7

SHA256
9aef5f8bc8f0e10159195c0ac45a1e21b2d23ab12aac15403cf4d98b97fae4b0

SHA512
9b9ab4ba85c67f5f41d6a90d5941e4d790286d2a3d8df981e24f30cfd5092f9afc4350e2026f7a69b0142b3be0d8287da5369ed12fc8e1f9c0de970c0b306147

Download Submit
C:\Windows\SysWOW64\Biahijec.exe

Filesize
55KB

MD5
0935df9a8fe1bc646ed3f6e400626bf9

SHA1
231d4433d4db4c9aa88afe74a1c32573a8e5351c

SHA256
577775b9a05380baabf8625d7608fe51e9313b0807b95874adffaf8e04bccfc2

SHA512
c245b7607fe4385e0856c9dcacc32dd441641332329616bc5dcd84e20bdc374b5176019fbde24798322624d139ed1d84b4377f6825addb4c66526e3b47e85151

Download Submit
C:\Windows\SysWOW64\Caepdk32.exe

Filesize
55KB

MD5
1e40b3f1a872628f841694801d01f66f

SHA1
bf297afd74ac5af5d6c4a786bd313d256a3b30a0

SHA256
79e21d6d98254ea9d2004db639c53c9bf0184f6deeff4229bcdea25ceab359a8

SHA512
6636a71e0099091c6caa4a606b39e12accdfe553c5fbeaa604096616695b655d7e8fb04ab701990b6b7df168e5cf8fbc958819faea818383ffe3a38dd95314fa

Download Submit
C:\Windows\SysWOW64\Cbljgpja.exe

Filesize
55KB

MD5
e429fbf69cd68ffecbc84a7c248bc775

SHA1
7a211046349ef17f5c4396ea509f0a1d915c3d16

SHA256
62831516967a8242cdbf9b74185fa011749dd6420c65e14337dfeb3b0c9e562a

SHA512
a13ddd2d79cc3d80c5d120b74400390aba410dfe794f2d7895d5051118524123d9aaf05b7a2e5c4f7ed425f902eba72ae4ec7ce7c4cd9cc16482eef1cb1545fb

Download Submit
C:\Windows\SysWOW64\Cbnfmo32.exe

Filesize
55KB

MD5
4388b21015b66dd7481af57f639f958c

SHA1
7fa884f74c562906bf98c9629270771e834144fc

SHA256
e02ad7d435afb3b9fa25af7b9c0676d28a99f0be10bf877be4a5603fecca6d8f

SHA512
06fc59a5540c3273420c29555f9694cc808f6e743c6ad2ea3a2ba2c4818d69ca5984b0afcac0d4d0cb53ca8b4d80a6f14263e18375b3b9e0a7f88496098096da

Download Submit
C:\Windows\SysWOW64\Cbpcbo32.exe

Filesize
55KB

MD5
b8bc67926d21bc09ead98188773f722b

SHA1
a33302a0607a24c0092ef439170e3a4309f3dc46

SHA256
2c8eb456776f8fc8a851ba54739d835044c004649bfffaa2d2fd7343ab693258

SHA512
4f7399e510f108645fd772f30fc0f7fb38c7f7cd2930a368217c195bc297278d7cd85c9a15ec86ed48d77cae983fbb3f4c3e6f3e8bdbbe1e49a5141f8b94acdc

Download Submit
C:\Windows\SysWOW64\Cdapjglj.exe

Filesize
55KB

MD5
c2be7656593f97463ea760f486a79f75

SHA1
49b35b5392ab04fa609ffccf5dbb0f15f4ef656d

SHA256
699763a6d5a738c7ef321208c56af5ed65bfa7907ab5b8ae090b53f5d729146c

SHA512
f61332953bf3088ace8971ca9e52d693f2c447d9a7e19a4b9b73c7847134e6c410f230d9dfb4ea881224b2f0a87c37f844855a39fb4a0598dbcbaff538548b08

Download Submit
C:\Windows\SysWOW64\Cejfckie.exe

Filesize
55KB

MD5
1295bb0ac5ae453169f2f8afe447299c

SHA1
5b98114278912916a488c667ed3a8df26c42a923

SHA256
bab10d8665dcec2e757fb6ca6ea43d8a560812aedfb0c0587ea74121943e2415

SHA512
418bc0a509740d26bc41a973bdca2579e43b5731734c2476db063f04f6b2f3ae127cdfca106168e3ee45624dabb9d9b6eab509530e5d171b0315a30020e1cc39

Download Submit
C:\Windows\SysWOW64\Celbik32.exe

Filesize
55KB

MD5
2240120a7ac33c434ef3e1035c449235

SHA1
181e7bdf53af44d060b9d9fa20b05cea75a21783

SHA256
e898f0bb9af2e06a6a2fbae6a5aa9e4451a805a287d983a368c01f18f71975a1

SHA512
5214b01aff11a05767ff224b06e0fb29633b659a357a5fcb0806bb43428c83de5296cb1bda7cd31716d9fb2dda69c5d2eb632dd7745a0f4922a9d9cf01ef17a9

Download Submit
C:\Windows\SysWOW64\Ceoooj32.exe

Filesize
55KB

MD5
fdedfb841d659a4b199d13840dc92a45

SHA1
eaa0435a9208155c1c0757d414633b4e4c5b230b

SHA256
db55531d47761f9f7335a2e7d0c572a9148f322764ac5f149348c63f40e41aec

SHA512
c23df6d31ee4a234c5eb60fcf67bb652e201603424d6b09ca1d5ebd2f15a47a3e55a6a248395ed8a061b71d9390b11572b2e4eeedbd0fdcbeb2936a2b45ac292

Download Submit
C:\Windows\SysWOW64\Cfbhlb32.exe

Filesize
55KB

MD5
5fedb9dc56c23a3226b8a4c626940a05

SHA1
fb1bc509976ba62e625c765e008f6cd87da2b0c9

SHA256
5eb897cbc24754b7183a466d5ba35bd4c8f2d8e7c2eaad5f2ff6a1c21e8def99

SHA512
1883a3ffe708de7851b77b6f68a9af26284c2afda30037166e479fc6d0b69e03587eceb46a661313e1f112a55df7e984b9c6d72102584777eb3a14df2bb7f5d3

Download Submit
C:\Windows\SysWOW64\Chhbpfhi.exe

Filesize
55KB

MD5
335650cf0a217b21eda0d5415007e1e8

SHA1
9a100b9da72976e9afab80d146241a9c9dcc1292

SHA256
4892d9aac2df7ba8b16c239760d598b3c0b095535e55a824eaa6aee1ff8f0fdb

SHA512
2ba1610b5c72812b935eb678afdbf6e7e7cc8f0b19203e5dcae89162c2eadc8e4e7c41fc65f57ff6e8bbbd30f8adfdb7d832009a85f4779eec842219ca37f56c

Download Submit
C:\Windows\SysWOW64\Chkoef32.exe

Filesize
55KB

MD5
3c3262b7ac587aac63a23dabb61cb457

SHA1
408f00246858f148f9cfc56554e0a6e2557614d3

SHA256
70918e075734be13f3483a2dfd4baa63ae9cd12b5a3b3da76ae7fba11d4c3dc4

SHA512
cfcb6a89c892fa4062622a44672c88945bbbfbd56d4be18d78fe6dc3376d9752844c9cd605a001b3ecabf6a8a56da33761c64c96b31247b3e26ae3413af6474b

Download Submit
C:\Windows\SysWOW64\Cjikaa32.exe

Filesize
55KB

MD5
361b0202b95b7cb35590e707061ba7ed

SHA1
e9af598cb2e8839407be94e3694b06e6e83d4011

SHA256
c684a56a8c853d0d76dde88a129aadbe8f0ab1e5c372e6bf44e9c405905472aa

SHA512
f1abcbd9aaa000faec9e03674111d0fbd3e7b913d331cb9181fb47586b3240e64fdb5de793d9663e06a5a151752f159ecfaee23aff0a99001bdd1b96a0333673

Download Submit
C:\Windows\SysWOW64\Ckkhga32.exe

Filesize
55KB

MD5
2ed8336c507aac2f8e423b41ba49ae64

SHA1
ddab5b8cf7f12f70f64795f42c5a6bdf2a74eef3

SHA256
c856b2ed7563c66a3f0ced54031290575063da242818b6b64f4e9421a4e6ece8

SHA512
300710679a26348749d7d6f6a0be25430e7f9985bef8ecb74cdd152348f775edf4615b3e8158d65e9e3bcbfea9bf6663878ebc35817cd7fbd75b31cba9a472f3

Download Submit
C:\Windows\SysWOW64\Ckndmaad.exe

Filesize
55KB

MD5
72e804d295b34f591b7a4294fed446f0

SHA1
8afa16f1a36453e664ec065bf48e5043e69440d0

SHA256
14a05272004c9936a992ec8a4762f95be3658da96dfb7e2efa7e92ffeb9904d8

SHA512
6d6da8489ba50b852519d884bdcd285edbb6f43e638b61b8f1ef83f1caaeefc666d2ad1899932810785b005cc0ba829cc67a07f806b4a8d90edf3d791571a302

Download Submit
C:\Windows\SysWOW64\Cmjdcm32.exe

Filesize
55KB

MD5
e37b293817cec44f56120848f93ce983

SHA1
ccc19aa2dcad979e8cde0c5ee7830fbde0b1e88f

SHA256
cef57bdcd11292b0155fec09468ab49e40d9d921fdada4362a4db9b4ed0ca502

SHA512
ebbd963c4a56fc794032ef23bd02a19b735bb56edb63af1dd3e5783b4c787d6d7edd670b4c63189d764053b7eedd084ca2b8905a46413ca135ffe63bf72add5d

Download Submit
C:\Windows\SysWOW64\Coiqmp32.exe

Filesize
55KB

MD5
ec9fa4c9c65b341c14da325def06d5e7

SHA1
61e04111843a518a3c380a374445cd500bd6fc64

SHA256
428170e5eccb8fbd3a208f778a031d1c1dd2cbb4aa4c5f4170719cf2c5c72476

SHA512
1478da8cb65e8f6a44c0e7f87863cd1ce546781ea58a162b8ca4953671c56e5614f9152bbad7df39334d85ddac67b69acacacd339d05a1eb71d8e694e53dda78

Download Submit
C:\Windows\SysWOW64\Cppjadhk.exe

Filesize
55KB

MD5
5cd17525f992d0415b5a9ce8f9419a88

SHA1
e6d3b45c712d8d62996ac3095ce5f7cdf6f56ecf

SHA256
3226056ec50e63a1f8874183459a8f4f2033a1596500766018c56a86b859201d

SHA512
be3888be04849db02fb583313fce7a7c9e87644f511c2f0e37c43c3f6253aa2fa0efef7adb865f44ead17e63cd730f602187558f80708c5b974c8f80a1d7323e

Download Submit
C:\Windows\SysWOW64\Dalfdjdl.exe

Filesize
55KB

MD5
56f0e5b14e0cbc65672ed157e7f666cc

SHA1
d3fb8524e3257a02f2e44ad5044e9a3446ff7aa5

SHA256
d1235e24395054c234d12bb1c88983d43b2e754ee2039e6f10264d2792441333

SHA512
25e35f3ffd734eb8e14dceca41d6078ac1946f0fab0a27c90f21a9f95956447f177717733a5300baf324c00aec0bfe044271620ca459c819d7ff9eba8a049a73

Download Submit
C:\Windows\SysWOW64\Ddhekfeb.exe

Filesize
55KB

MD5
c82ff148a89322e851bf6e9806b7a637

SHA1
a77338cd674c56fb869cdf25b035ae7b368469fd

SHA256
f75fdf50567e1eeaf2b1249336654b6288ade66ad2c0e0630dec8c3206c75799

SHA512
15cefceafa8b50e508e423f8916c179c7660d8a25076bb0473cb730f8b837c128127b2d92048f1ef0858f7bec500d306f1798ddf8278b302a0357c6c331e6f1a

Download Submit
C:\Windows\SysWOW64\Ddmofeam.exe

Filesize
55KB

MD5
6215595109eec89f401f0bf7b7c5a11c

SHA1
bfa35473e5dada5c13a6dbafaeba3fd7073accf9

SHA256
74ff5a3e94357b762f8870a4a92fe95e5b16bf6df8a17d4ec0fc25d791b1d440

SHA512
bfb4599c5b9b2dcb928a03a92d3695206d8937dc7f24510a9acc877f9e1712634d080f2deda92ed9412e71eec0a40c208f153bad8c9100c9d8600fddb07aea8c

Download Submit
C:\Windows\SysWOW64\Deahcneh.exe

Filesize
55KB

MD5
ee1967a03aa275b36be447830ec5a3eb

SHA1
55384c64d70076d39ec0c647414b9a9f82e7896c

SHA256
eee1ab46b115480883b54b879e0ab287c23af152517ec4cc89c8ab471048f653

SHA512
530cc4a893b4f7d3224f1f425c4456af6d68670fe1ca9d0962c4b31c98dc85d3795eb0149c052afa5a0b13bd092c362c267b92c0811a5df9bae99ed86c9d1857

Download Submit
C:\Windows\SysWOW64\Denknngk.exe

Filesize
55KB

MD5
30a906e34d34b0c1d1d32d561f03c099

SHA1
5e2ad36e9460fdedd254dd1dd4c9f390a31ae224

SHA256
6ed2134540b6387929d3c6ce146e90cc3bdd897661c8ef2c157e19903b787519

SHA512
095e1282c3e383fab53f272c18fe291852f080ce6a5de00de2e1ad5b91d7a72df642ce2241d344abc7be50f486b041e9fc5dbd49240ecbad5ca1289b5b167225

Download Submit
C:\Windows\SysWOW64\Dfdeab32.exe

Filesize
55KB

MD5
a9fffa357d802d5b41e8165a7343b168

SHA1
de76a66e643a55015aa0764d776073c20eac7e0d

SHA256
2bb8fa9c43c0a7202d945858b9bbfba4c22f1a71a5aeb99de66733083f403e48

SHA512
0cec54d143762c41fbe109c288b987d37795e609355ffe8955f34bc6a75a09eeeb4a442f770312aaa1731786e3c3ede12a97493ff14cc913bc658d6af1e6646f

Download Submit
C:\Windows\SysWOW64\Dggbgadf.exe

Filesize
55KB

MD5
360656e89acebb4a1234e10ae839ab37

SHA1
d8f7fb281c48215a70c3132bdb638dcb2b43934d

SHA256
1edc32d9b4a5bfd9913058eecf8612507211a9d17e4a1fc369f82278a65b0f25

SHA512
23dbe377074e3340959d5c1cf728acb0f754664bea4951838ca5062bce13a413f69cb59222999749dc8a20bfdb1a7053fc195b3a10c7a66268be13c11e889773

Download Submit
C:\Windows\SysWOW64\Dglkba32.exe

Filesize
55KB

MD5
30079202b256a31d0e55bc090ceb6704

SHA1
add2769929cb0d1529a798a543855041dd6c9108

SHA256
127d1a460748ace43c2edd222f2fc68d5ce7231a75921b7e146b1afc20fa8b8f

SHA512
62ef2ac96dc9e1c7be7c905dd46c75f753590d0c6b934645e0962b0dddb3b3c63341fedabc15e3dd23b505ed5da64c372a1d5cc284aeefce3df1a64c324865d7

Download Submit
C:\Windows\SysWOW64\Dicann32.exe

Filesize
55KB

MD5
ecca0f3e932a75bf69010718e5f48155

SHA1
80d725cb2f8fe2a93a87cfc4a930db961e785046

SHA256
df2b88670215912f837c356656474b6bdc8277dd5f7413ab2b472d7c54f0ee6d

SHA512
cb91641c97f129809fe23741fa78bc8c35a3a0ffc3dadf1d7f81ba15de0314eb33e77e3567d803dbb1c608b9081eb37482c85a206f9857100921d9ca172d46aa

Download Submit
C:\Windows\SysWOW64\Dkekmp32.exe

Filesize
55KB

MD5
5d86dad7e980f1ec782f0f787ac8e56a

SHA1
1bb190eebbafeab6a00ce0e3073197b19932931c

SHA256
5006a836333b1fe4cff32829987aaef79ed24f5df26766c809b2454edfa4e7c0

SHA512
c29fa916964b1ac25c0af3262f589e8aed13eb6f979f129a3d6cace02b3e16695c8787543c97fcf4e91edea8a6a9097a58c01b8c42896824257630363f213210

Download Submit
C:\Windows\SysWOW64\Dkpabqoa.exe

Filesize
55KB

MD5
71bc42ac0aeeae1ca3f626f7f305c34c

SHA1
4d9d1e3be361f8cd87c066393e88aba94e5ca3de

SHA256
8cc68279b1111f277e88730053ec9a429970008d5786f1d13fddc0b703a9e27f

SHA512
b16189ca8d64b4878a7e86a6b79c4f1f6f2886269a3c7584031c4d3eba5f3e188c633d2be4c88b0e6a36faf07040ba8ab1c9fccfccf13f56f66fcd917b5bf55b

Download Submit
C:\Windows\SysWOW64\Dlkqpg32.exe

Filesize
55KB

MD5
39bd139a8ad0db2aa95029b2e223e999

SHA1
f188ce54ca08795fd1d7cee0b9088ac26c4b5bc0

SHA256
206ae33bf7591dd9c3bd29703f2c261d7cac2ab824cde1ffb98e1fdf15a1b6c9

SHA512
65e6174ea0afa67a83a951376b92496688823d4299332a144a405f23b83833b1d8b53469d97b5fdde8e2784a6ff02c42961f96f6cdf22f095c4569d3b2bb330f

Download Submit
C:\Windows\SysWOW64\Dmcgik32.exe

Filesize
55KB

MD5
0b4e094c91ba3d88a0e5a8a8cbc5245b

SHA1
6423f403a3269c48a9440c138611e2c1642c4813

SHA256
70f9f88f5d24deefb01f3d918eac175518b72a120748d4817c87a46c507ad499

SHA512
8c419bd7ccad27d804a37098e9606302cdbb1ca46aef7800a5a8087f01953f715be2b669599f50d120eb4b373a16fa45ce88f6dbf6fcc421c31f09bd4c6f6e99

Download Submit
C:\Windows\SysWOW64\Dmecokhm.exe

Filesize
55KB

MD5
8f3d8cb3a66b544ec1e0dc68f609a06c

SHA1
736a967cf17f236b39b3bf00cd293df08b58404b

SHA256
f7a7e0f8625af0dcfaff2caac1169632e5abb07b7867858b7aa17cc1c22e818a

SHA512
f2f1de996b86dfc81be7a288cd09e69a0a9534178aa3fed6af07f81df1050ed90a6365e9e684d5f2e282d032e6aa3b38583c851db3319f654e5a0c097eb994ac

Download Submit
C:\Windows\SysWOW64\Dogpfc32.exe

Filesize
55KB

MD5
b90545f7cd87cb0461130734ac21e2cf

SHA1
f09363dd12eecf32aea38aa5a51db1c28bb29fd7

SHA256
9beeac751e7b2f15f24910d2b961736536577ab4c6328757348e857302681a7a

SHA512
d28da2a26e81f6d4e113ebac6d7d9351e998a549dc1a69b4ed797a245332084105e9f19e3bb66dbbe726c3a3ce3ecc1ed3bdf473356b83242cb50c8b9aebef41

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
55KB

MD5
37a932e759c5a083a10e00f31c88011e

SHA1
fc01324131bd5a0d685413a1ff8a98eae9e9939c

SHA256
5a6476bee3aad36e6e138ec50bc4c30cb08ae69c4759342faed05af06c2f8cc5

SHA512
2afa3eca84f2e5a55d73ae42fec46b2db82962bbf07fd52832acca5e0b455ea0b3ef944581690f3d5bfa6ab14ff8d8885e916dbdbcdbf0edea5ebafc193ef70a

Download Submit
\Windows\SysWOW64\Bacgohjk.exe

Filesize
55KB

MD5
eab228120f73884688ee21976a687251

SHA1
00cc4841034d7bf5c449ca32a2885213f0588c80

SHA256
089fc0505506fa89d6e6357ae699980d0fa480487b40140ff4ca1b2d99b35e4a

SHA512
ff914ab297cd56280eb1f98a3e43265046a873fed8c1f468f022101062a79b2b598c521a1461540198ec85c5af982663e45a28031d2647bfe4364ace45e26cda

Download Submit
\Windows\SysWOW64\Baecehhh.exe

Filesize
55KB

MD5
e8516fb9bd31d24a08bea9f353313b5a

SHA1
33568efddb69fb44783542ec1ce789946e9a5e2c

SHA256
f068ead91244743375456a5d46210129375c134d723a5ace19f35943ec74bf2b

SHA512
9206e228c3e6d90a514007e2f857df8e2a566defb01e5bacfef351c36a9521304ed70e48a2adab74ef26344109e9d8a72b0d4433afed4a8b46d3139f254ce60c

Download Submit
\Windows\SysWOW64\Bcackdio.exe

Filesize
55KB

MD5
2151d867fd19794b4d886f208383d7c2

SHA1
3ff4bf303009741620053eac112924a1e4080e2f

SHA256
cc58742e93256931df0ce0f7af9ff46de4cc2ae340a9df765b629007b4f3a14e

SHA512
7e42d471f148692ac9273e18fb46ce44a4f5256a5c66a0d8a7c33f74930340fb89a1bc587d589a1c8e7e4c9dd8f09756c14bef951cd515fd38ef142a532e4351

Download Submit
\Windows\SysWOW64\Bcdpacgl.exe

Filesize
55KB

MD5
2d7b8458e7f97af98064b8ee7134ec3f

SHA1
2c5a27451fe692b2293c8e18e858c820b1ef6ebc

SHA256
b0c64a9867e7d3b7628aed03b2d71f56297a529abd17951e0bcb6457ddee8af7

SHA512
354839c03c6610b0ea79e13025b33f31072b6a59f97381e3fed4a87cdf6b93edc8ade81b52dc9a86835b10f0754ffa446bf5e7b38de876c7d4c0207996660930

Download Submit
\Windows\SysWOW64\Bcfmfc32.exe

Filesize
55KB

MD5
3b6758a72b9316e033dc4c131136eefe

SHA1
db58a95d50b21f1f98ce6f8ea7271a1fbb650c13

SHA256
b45612ba1b90ebd5f790885d2d3380284fe47d824e1ce301a9f62e7bcaa8867e

SHA512
15abc2784b47131b2b3e2d0d3dcc485fb3d17594042443cd0893b01a26d4a6931a27b581da9dec2c34949b639ec006df2fcbb8f292f5a60d72c3e604fffcb3f4

Download Submit
\Windows\SysWOW64\Behinlkh.exe

Filesize
55KB

MD5
0fe226e61f53f1f1c5ab95a50597b0cb

SHA1
644f5ff5e92a673d98cb3f83a8df3b8e0397f8d0

SHA256
3c7adf9269a2e224f38f82fddc9ac4740876e5c5bfb59a3a8a76d70d117ab884

SHA512
0262db98f667fef8d996e7bbb67c65430095b92a67a5dcc7fe66221d49f85fdf130e00725cc9c1dbd514b8331511505fa749bfaaf04f91b3dec11c46b1531add

Download Submit
\Windows\SysWOW64\Bfblmofp.exe

Filesize
55KB

MD5
b00234a9198d2a4c19d8b68846fcf197

SHA1
04b3487a7fd4ad2f6ae5c6db1a6ec7108197af11

SHA256
1015f73603fa37e4edbfbc07bf9a4f8832332421d547b66ea12ceaacc632c262

SHA512
38866e5a5bab977a60d227aac47b10cf05f1e799c643f1ec5ef9a5bde54f4c71d0a50dc32ef54668672ac15a8fdb6d364d37a9cbbb110d16ded4c7d64b0dacf3

Download Submit
\Windows\SysWOW64\Bfncbp32.exe

Filesize
55KB

MD5
a36bc2628a4471e24a83d3415bad119a

SHA1
372ddb0c9a32583345285b1722014ce33a0ed6a6

SHA256
add6eae6ff9d92893b8b9abce60d8d4f4aff5fc0a8b6e4d72882468637b5fdf8

SHA512
63bcdad71f8731e2f3aab82853c86b02710fbee9731d1f239894278f86b0731ddd1ac76d7275e1e73f9c88d95ae928ade3e8f073f219b49512aa5ba54a7926e4

Download Submit
\Windows\SysWOW64\Bjlkhn32.exe

Filesize
55KB

MD5
ece0a401289e9a437d07b426d6ee4b9f

SHA1
28ff6ff9aece87f81db5cd9ea99b8fa33a68fd7a

SHA256
27f9ec59292d73a2836f14a0467278a1020271237969875633f99eeefd9b7831

SHA512
eabec1f5d6f34b97a89e7fd5601c44c9dd40b9c9ae1f8b14b4f799018216a9db1b882fe3c2138d39b95103ea29673a7e408f152751f7c840fd4a2e792a044e32

Download Submit
\Windows\SysWOW64\Bkdbab32.exe

Filesize
55KB

MD5
c8bd499b1d583b5bd3c0cbf4d1b9d2b1

SHA1
ec6453b20e68e28e7ea20ae31001575018559a26

SHA256
93bf85f8d40e319546a3a267dda744e314cb4e8d985fe0646ee2c1eb71c0524e

SHA512
7bb6dbcc3f5246d9f2bdb36a39422b164519fb5e95b5918b0a4a1627316f2043d05834bc6c2a43049bc1984e6420acab041a50b3135556b06010038d345bf11d

Download Submit
\Windows\SysWOW64\Blodefdg.exe

Filesize
55KB

MD5
aa777f06413676b81d3dccf5d8f13303

SHA1
950a70e352f685c1a0246f6b2599cae243f0bab5

SHA256
b10b97683fd37c8ffad4433e7c8783882f4ba0a74610577728786b6bd3ed0a9c

SHA512
e0e352875894d492a1f2f85bb78686622ea443d321dbed05ee89a2b66cbcd2abb38ae69c207ac5769f970beb7f50e924d9677e989a19d0b2e9efc24c3eec035d

Download Submit
\Windows\SysWOW64\Bmoaoikj.exe

Filesize
55KB

MD5
2597145a4cc5e4ad85ed3524c2d2b3f0

SHA1
a90e8e7238a36b1427b61130e053c780fd845f07

SHA256
69f545fdad1a2be1310066b09612b9d29f75f56bd9c5a011e8d651e6926fbd5d

SHA512
dc964b603d86eb7bd533cdbfaf7de1f59977f460e890882099a388e9c0c6a2d185abaa2369a0eb14ef9bb9483a1676b3e4bfbe53d6f07fee8e20d17da31fae6a

Download Submit
\Windows\SysWOW64\Cpmmkdkn.exe

Filesize
55KB

MD5
ebc3d97c243c6690edbaa8eb43682639

SHA1
abb2c365479549fd67d1f47eb77e325af546f92d

SHA256
1b93fb42117d33cb5aa08fa305fedb27ecee037acb37867fd438a6821c34d131

SHA512
184903fa4a5aeabf9036e192ecf04306cd0bc366c48e3f5badb0f05b18bc71de5dacdfac830787a5c725b661c53e5d51cba2bb1b4d45593625a2bd90dfb40583

Download Submit
memory/532-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-230-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/636-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-286-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/636-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-239-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/756-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-491-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/876-439-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/876-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-340-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1112-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-584-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-339-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1144-196-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1144-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-295-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1180-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-26-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1208-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-362-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1356-383-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1356-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-394-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1476-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-396-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1640-403-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1640-407-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1640-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-12-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1720-11-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1720-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-342-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1740-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-303-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1740-308-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1840-449-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1840-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-512-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1920-505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-261-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2136-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-526-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2184-525-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2188-221-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2188-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-470-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2352-315-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2352-318-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2352-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-115-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2516-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-35-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2576-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-133-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2656-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-63-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2696-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-81-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2732-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-89-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2736-429-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2736-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-276-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2748-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-419-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2752-418-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2764-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-373-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2832-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-583-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-329-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2900-328-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2980-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-170-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3004-430-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/3004-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-142-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3064-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads