6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2

Analysis

max time kernel
93s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
Size

64KB
MD5

c44df15dc2ce7e04dd9252921c13060d
SHA1

47cb0acbeb36dec90d26ae76d49ac7a8fc786fc1
SHA256

6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2
SHA512

3837b1feb04ed06fd0aa9ba9648a5c5886bd40dc962e460339e0392c239e39f9acb2dad09b4ae289b00cb5c2c18b57c9ddb8fdcb94cac67b391a59e0a61c23e2
SSDEEP

1536:Mmq0M30HVudWXIgdpCmdLUtUWyEIrPFW2iwTbW:NM3XpgdQ49XVFW2VTbW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe

Executes dropped EXE 45 IoCs

pid	Process
4812	Bebblb32.exe
4164	Bcebhoii.exe
4140	Bjokdipf.exe
628	Bmngqdpj.exe
2152	Baicac32.exe
1096	Bchomn32.exe
2592	Bffkij32.exe
2636	Bmpcfdmg.exe
1140	Beglgani.exe
4556	Bgehcmmm.exe
412	Bmbplc32.exe
116	Bhhdil32.exe
4040	Bjfaeh32.exe
3460	Bmemac32.exe
2556	Belebq32.exe
5024	Chjaol32.exe
744	Cjinkg32.exe
2160	Cdabcm32.exe
1676	Cjkjpgfi.exe
3480	Caebma32.exe
5028	Cdcoim32.exe
3304	Chokikeb.exe
2040	Cagobalc.exe
3636	Cdfkolkf.exe
3176	Cnkplejl.exe
1748	Ceehho32.exe
4100	Cffdpghg.exe
3452	Cjbpaf32.exe
3912	Calhnpgn.exe
3276	Cegdnopg.exe
2484	Dhfajjoj.exe
1680	Dfiafg32.exe
2884	Djdmffnn.exe
3220	Djgjlelk.exe
2388	Dmefhako.exe
1580	Delnin32.exe
4828	Dfnjafap.exe
1416	Dodbbdbb.exe
3840	Daconoae.exe
4460	Dhmgki32.exe
3640	Dogogcpo.exe
1536	Daekdooc.exe
4520	Dddhpjof.exe
1480	Dhocqigp.exe
3744	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Djdmffnn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4784	3744	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4812	4512	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe	83
PID 4512 wrote to memory of 4812	4512	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe	83
PID 4512 wrote to memory of 4812	4512	6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe	83
PID 4812 wrote to memory of 4164	4812	Bebblb32.exe	84
PID 4812 wrote to memory of 4164	4812	Bebblb32.exe	84
PID 4812 wrote to memory of 4164	4812	Bebblb32.exe	84
PID 4164 wrote to memory of 4140	4164	Bcebhoii.exe	85
PID 4164 wrote to memory of 4140	4164	Bcebhoii.exe	85
PID 4164 wrote to memory of 4140	4164	Bcebhoii.exe	85
PID 4140 wrote to memory of 628	4140	Bjokdipf.exe	86
PID 4140 wrote to memory of 628	4140	Bjokdipf.exe	86
PID 4140 wrote to memory of 628	4140	Bjokdipf.exe	86
PID 628 wrote to memory of 2152	628	Bmngqdpj.exe	87
PID 628 wrote to memory of 2152	628	Bmngqdpj.exe	87
PID 628 wrote to memory of 2152	628	Bmngqdpj.exe	87
PID 2152 wrote to memory of 1096	2152	Baicac32.exe	88
PID 2152 wrote to memory of 1096	2152	Baicac32.exe	88
PID 2152 wrote to memory of 1096	2152	Baicac32.exe	88
PID 1096 wrote to memory of 2592	1096	Bchomn32.exe	89
PID 1096 wrote to memory of 2592	1096	Bchomn32.exe	89
PID 1096 wrote to memory of 2592	1096	Bchomn32.exe	89
PID 2592 wrote to memory of 2636	2592	Bffkij32.exe	90
PID 2592 wrote to memory of 2636	2592	Bffkij32.exe	90
PID 2592 wrote to memory of 2636	2592	Bffkij32.exe	90
PID 2636 wrote to memory of 1140	2636	Bmpcfdmg.exe	92
PID 2636 wrote to memory of 1140	2636	Bmpcfdmg.exe	92
PID 2636 wrote to memory of 1140	2636	Bmpcfdmg.exe	92
PID 1140 wrote to memory of 4556	1140	Beglgani.exe	93
PID 1140 wrote to memory of 4556	1140	Beglgani.exe	93
PID 1140 wrote to memory of 4556	1140	Beglgani.exe	93
PID 4556 wrote to memory of 412	4556	Bgehcmmm.exe	94
PID 4556 wrote to memory of 412	4556	Bgehcmmm.exe	94
PID 4556 wrote to memory of 412	4556	Bgehcmmm.exe	94
PID 412 wrote to memory of 116	412	Bmbplc32.exe	96
PID 412 wrote to memory of 116	412	Bmbplc32.exe	96
PID 412 wrote to memory of 116	412	Bmbplc32.exe	96
PID 116 wrote to memory of 4040	116	Bhhdil32.exe	97
PID 116 wrote to memory of 4040	116	Bhhdil32.exe	97
PID 116 wrote to memory of 4040	116	Bhhdil32.exe	97
PID 4040 wrote to memory of 3460	4040	Bjfaeh32.exe	98
PID 4040 wrote to memory of 3460	4040	Bjfaeh32.exe	98
PID 4040 wrote to memory of 3460	4040	Bjfaeh32.exe	98
PID 3460 wrote to memory of 2556	3460	Bmemac32.exe	99
PID 3460 wrote to memory of 2556	3460	Bmemac32.exe	99
PID 3460 wrote to memory of 2556	3460	Bmemac32.exe	99
PID 2556 wrote to memory of 5024	2556	Belebq32.exe	100
PID 2556 wrote to memory of 5024	2556	Belebq32.exe	100
PID 2556 wrote to memory of 5024	2556	Belebq32.exe	100
PID 5024 wrote to memory of 744	5024	Chjaol32.exe	101
PID 5024 wrote to memory of 744	5024	Chjaol32.exe	101
PID 5024 wrote to memory of 744	5024	Chjaol32.exe	101
PID 744 wrote to memory of 2160	744	Cjinkg32.exe	103
PID 744 wrote to memory of 2160	744	Cjinkg32.exe	103
PID 744 wrote to memory of 2160	744	Cjinkg32.exe	103
PID 2160 wrote to memory of 1676	2160	Cdabcm32.exe	104
PID 2160 wrote to memory of 1676	2160	Cdabcm32.exe	104
PID 2160 wrote to memory of 1676	2160	Cdabcm32.exe	104
PID 1676 wrote to memory of 3480	1676	Cjkjpgfi.exe	105
PID 1676 wrote to memory of 3480	1676	Cjkjpgfi.exe	105
PID 1676 wrote to memory of 3480	1676	Cjkjpgfi.exe	105
PID 3480 wrote to memory of 5028	3480	Caebma32.exe	106
PID 3480 wrote to memory of 5028	3480	Caebma32.exe	106
PID 3480 wrote to memory of 5028	3480	Caebma32.exe	106
PID 5028 wrote to memory of 3304	5028	Cdcoim32.exe	107

C:\Users\Admin\AppData\Local\Temp\6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe
"C:\Users\Admin\AppData\Local\Temp\6310f5e4964e21452fcc3ff695463ff89b6fd5bb49814bc1e1d7879377c1e4e2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\Bebblb32.exe
  C:\Windows\system32\Bebblb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\Bcebhoii.exe
    C:\Windows\system32\Bcebhoii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\Bjokdipf.exe
      C:\Windows\system32\Bjokdipf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 396
        47⤵
        Program crash
        
        PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3744 -ip 3744
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
64KB

MD5
7292c2da05d07042dd7ee632c7eab15e

SHA1
68515ca8359c66eeb3125af4ac791ce8d34fc7e1

SHA256
6f54d835fc197606da68f147dec4559586f81a78ddb16ec1494d8896191f81ef

SHA512
d40059507d7d96b970b12d83a20e63f9cee3c66fc4b6281b7c70c75d3fc89f9940e12c788b3df0c9f7034694384a1eba0393eeca2c3641e03e31e03380e0a9ad

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
64KB

MD5
bcc29555235b3a812db13fee273939e4

SHA1
1152317f9db9e57b75235e25775e6586a8702926

SHA256
711e389a72b3672b9074f38412b03254f0974076a6d77d2d02031b12f1b293fe

SHA512
19e4be41819f2fb833f018ed15368d737664f909d4c887bc2b0bd68a427b8721b19845c85ebd1129d54690fcc2532f63c7f5194451ba7dd604e8dffc8ece0703

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
64KB

MD5
4b8142d40a3b93ed9f4d705178593839

SHA1
c3b195b0b1c78a3ba7a5fe9859c12139f49dda1b

SHA256
d55e15c6ea35d14dad5ac51fd12bc43e60bc3434fc03e2640f987a3e582b8222

SHA512
f85a6799f7a1e1458b2db8a86aa34db5066232d4548a8521baf450cfc83fecfbf528e4698124ea0d29ed4818183ca886b27475b3fac42fdc0e8c39fd8627be9a

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
64KB

MD5
fe031a1fb233e15c792080aecc9976b4

SHA1
d373a70be259897b698711cf01e9ceb87b9c6a7c

SHA256
783ad9b0856e0d8ea0e0c7170ae1ddd9609571565587fbc8b1db73a8ab90cfdd

SHA512
4abb0eeabf4a0caa2344037136eb763250892ed836bce44f482052c179d91b8969dd98740e894aa0fe40cfd50e83ea17db0f9cc3df76c2217dc9c6e9a03a4270

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
64KB

MD5
1290931a7d3dfcc4ffefe5b8d9073993

SHA1
ef383ab7152d8aabe00768bcd89129d0ed529298

SHA256
60e3af2723a7c0a131ca49802238898f08f32034a2983f14d2f6ee899891c425

SHA512
a7162959606843f14184f315a1aabdbb5836f54ba664d17cdededdebbfd950737984c8a364e82185c2e797f07eeccd8cd68e351bee16c18d3d69bc70442454dd

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
64KB

MD5
7464bf964dcc72bb1012a6c9a4781a9b

SHA1
93a8aaff5b5e26a39c5247ce29853b863811e94e

SHA256
c2e91873d80dcf08f445a06cabd6a4e81f49f40a1b45dd7757e054be23682ad0

SHA512
103dca37cf66b96905af661b25af91c8ef881daddd577b2af069b38cbf2079433d6f28c23b19cdbb7e74345965151c2cfbe0244702eb05ab7fa1240a553f16ef

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
64KB

MD5
e13d61d514c5d7f9d75f701f7fb981c7

SHA1
36edf508176dde0472dbf5c4ca031c27c6885d7d

SHA256
eb509c5f240c3109778d5106805e2650c4b5133a5320ba2ed1236f610b1c87ff

SHA512
58167dd1cdf31fd403560f2db189a5b775bb48835c213c09e7fc9153259aa8b8b94c48fd5e996c19798d5ef24c1e75c480316059abd3ada2dd26c644608bdaf3

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
64KB

MD5
fbfbb542a349d1096e9c9ec1ce258c41

SHA1
00f6a20f90bd52aa70670712d6d9ff800e963145

SHA256
fbf5b7b476c87c541a142107c82b2ec476220a56b5563882d8146274dfa34fae

SHA512
7ca79f5022c3ca8f63e8813b66132d14cfd2ee93ee6a2882b355506b3a5ad9a7d883d43aa954148956d48f183d19f28e39d432e2e2725d33488ad10c5999f7e2

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
c35c57c1316c51e1ab21faa39848d2c7

SHA1
f7a922a339eaf1992434f8438e7aa3ee0e303a51

SHA256
925f06c5b9ae3c3330af1f81966bddb3d0f8c77ffe412628517d7e62b5602069

SHA512
5fbadf089ef9934c1d9407f7d57026275855ba27ebf14595cdbea75cb7280053c085eb9591d28a4c51cdb3a500122302921744946aa920dcf0f9d82e64f9b849

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
6162d65f8511dfccf1d40d6687cd4484

SHA1
b0cddedcc79b14efa73a67a7fedc6b60294d48df

SHA256
bc4a4f9380b6724272b361959e717de80f538204b2d79f65a9a813f0c11bff79

SHA512
fdaf3642b8a5be043cb5f241bea6d2e5bff33c77425f17c564dd12b2a226c54cc841c78c5192bb689cfe25f344fdd64c599acaf14ffd92c676bdaa78e4f40459

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
c9364b1a99275aedecc86e46452550cc

SHA1
067676d5ac7f215dc6a7e1385e6000d370761d7f

SHA256
62593b49083e798deadd54c97dd2d887c0d4f526bf42b704ffe371347bda4873

SHA512
636b69c00869dd9cdcd559900e19a53c317bdfa2601f5d28663e8a9351566c486958ccbb1ed1a4606f60c6d2567d2cfb31a851364e3e4612df50a23b7d358b7f

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
4e51877b9f538e35b7d3d4268374f952

SHA1
4f259fc11bd678aee70ca18edd9722db3c9b06b7

SHA256
e3bfd8c8615a9d29a5abc459f6b13b31c848982566bd8f8dc0787bafc3700b60

SHA512
b756b43537a903ab5f8e572b421c533cee44b62361b5b9ecd2eef4ebf3b13d3af871162d597a31dcf9ce071017b71b9653a3a451d0d1b12ca3745deb6a149ed7

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
ec0382c15fcc41b535a758d2612ce3fe

SHA1
5508d3cbef4fc29a0c28b0256cf9da5b1087a3a7

SHA256
3adfceaa9e7b4aecb1b5aa0accb6432162b17111dfe510f27efa28b601a885e2

SHA512
e0a3c06ec8ee7e35185c96bfe4e52cbaef733735a8d8feb22adce37a37d7780d405f537ba5d3dcfc6d81aa7f162d69920433600bda0cd0e59b05ea4105733265

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
b35dfb21b0aa34d4c02b0093b239acd8

SHA1
6b028c582917ace16d36512af637d649f560462f

SHA256
4605b6db3e60b72b3ac2bbc2004a85c4f798a63b6593f28590b812b2eabfcf32

SHA512
ae6f47c365520834498441d64904a81897fc407c42e39b7f66246cefd6691c57728863e20773c54f82dfac954247e96df0c3791eafa4f9567d600406f43a0f93

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
ee38cb1ff76216b1c2bf228b288ee740

SHA1
9a94ba5f573467ef32af0f9b43e603f7a941b185

SHA256
dd5f1496154712963b0358e3c338d2d60c1aaf8c930b81fa6067b8b98c935648

SHA512
124dbb3bbb2d06e835cd68cb7b43962204b319916d8e92f9efd09017ad6829c038818792e19fc8346d0b309768227836bacbecfe6170e4ceafbc3efcd2d2b12c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
9e62d64c6523d6aa41bc78b188a5bcd3

SHA1
4772898d6c52b573ce476864c30d2a39abba196a

SHA256
d6761d5592600c9298ca2ba1dcc694d5eca467d008cafcf8b78b0921163dd3a9

SHA512
45957459b9901bb21dbc2d48b6c50aa9a712c8b10c4048e979939daf7ba117cae2632c02746f1752b1b3b9d0a4b52ae260212f7c591b1dc3306067cbcaac544e

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
9249a798f20416a9447217157a423bd4

SHA1
e2cef202cf02830d02b1335f6f04b6c8a2543d3e

SHA256
213bd34db21eb0571ce9d1a37af019a9b00a6c7753563ab3be020c722a3f9647

SHA512
b62cae31673fa479df7ebad431aeefe72ffed0d80716a5fab9233f3762addca782c9f9ac1dbfd111a52ae32f93941e0e0d6e9dee124c1d9c12e89a0a262b1c03

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
3dec6fba5c2c1a980bc30c532f1b1860

SHA1
38e1a66395fc34213c658d9ccda1d6dcc0477b2e

SHA256
f7815923983f41ff81e4264682f3d90a020f2069b6374b665754e50f5c256e48

SHA512
f5c3c260574c7a3f0c1c7d3a5408e784582c71a92277a8c49e171f5f79e2f2acaaa6ef4bfdf0c57477f1e8fb4ff3d9c0c40f9183dd671feea6647b9d8b60ba1d

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
ec726617e3f1d4049df33b24858a63ad

SHA1
c8fd7d730a6bd37955b9061fa8c4c3c7911ddbea

SHA256
69ab7ee0e0dbddd5108b3838b2240cc4b2635de3b516a9f3efd681589bcdd411

SHA512
fe8d2aea1ae1fe727897e898f94e4b01262a784aaf0d8870f1b4de167b2a863dc0b1c674d751c44128ddfaef48d0c51faa2e3cca4c04cf0942bf70012324581a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
f8664d2e29bca6a1fb06d49edc5758b5

SHA1
d7ce63073587e64eca4f3e07e1a3a89a1bae1820

SHA256
830b3860388a1235e6b9e4e6ec9a8c6812f99d8faf9f0a30d82d071f862e2c80

SHA512
5627a7aa10a37f4a53986584290603debd8d4e866ff4cf225ec521b3aad611e57e78d10f8b94a734ef61912c2b8ae63553f355251369c138d23d081ec9e87d1e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
77e7e623dcae4417bbab0bf01b05ab6d

SHA1
9a9f1105ffc775fe02e547d0250a2e1a927fb3cb

SHA256
81fcbe242fcbd7fab3416651d9778fdae92a0db3cca5f89402d81c31dbe783a9

SHA512
47d467cad3381d7c25785868d67bb1dcfdcd78211987911ac9b3d1121d91e31a077dfbdf00d9004850d1a09f6a229b7b8829c19d7f55baf94c2c9fba88982bc7

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
44ba10652ba82de41c1069451e8c645d

SHA1
4b7b9ecc8ec8dd55036df26ae4aec5de544442fc

SHA256
5e208198c9cb4e58c45ed6fccd2969b697c2b6f38d0a7eda1dd9f4093682f4a9

SHA512
0c0c1d7731b46934bb7835104109c13f14882227f937878f7363f38d22e563b57e1d48fc636067f5ceb58d98509531c23b4239a52b7e52669301965ee4c10ddd

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
27fb7d888550db1633dee1f54bab59d0

SHA1
5446741a0a7d25ef1f6aabfacbdb0c5a4af59fe2

SHA256
42a09bd28044c61a1cf3698bdbbf815b2eaac8ed41c0f81d95e2e80823c0448a

SHA512
0689ee0a996c95f169a2ec66f5f75426aac174948dba25d20c97e71f055499a42c6c5ee9670f4e024219ee4c76b74c73daaba19006b1666964bf629d8beba47c

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
434a59f79cf5235639e2bc9b73066803

SHA1
c089e0f479ef054631dffdbb06d1b1d9bf402cef

SHA256
e10a28f6863b1d6f22fd98a806bc55ac5603f347392ecc29698cdab26ba322ff

SHA512
b0741dda02d68e043ec3470bc7b4d6a4c26cc628ccc9562537ff338de0ee059b71f2c459262f201dfa4793739c1d8145149a663b065a7bd71a132faa70121539

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
cd9655d75dad19f2a3fa69981a7f68ac

SHA1
549304bc3d63a66c41414dade4174b06413863ad

SHA256
9b08f8def6a17e086e771c42b15ce4a4041cbee94e3aa99b45ace2e2c95153f5

SHA512
8ae53cee0688be8feba0ce66f5704b5750ae68b64a7286e947f09ced6226bc2ae5e0c1d0cc752ba12714f1249025e428f0523279712748456d72dd5d7c1ebf0a

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
5d3247cb8decdc8168acc35795ea3bbf

SHA1
ba757bda60c1811ba8614cdc1809745544a9dd4f

SHA256
86d98d6a06fc040cdd76b567a4b61334b12531a8cacf1cb69eaedcb328665c49

SHA512
edf78c6f33c0f31fe5c678eceb5ef9329e87bb2f2959c8fd759a71c52b004a3226d5c355c541eee95af21fa7e74f852d8de3f270e1941d7a34073a837ef8b85d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
699568595082316eff46409accfc8190

SHA1
03bd0dba51f8f554daede465d8c5c38c84feebc1

SHA256
b8cc3a91137340b48bb1ddac18be3855f39ec1c1af59cd04edc9bc07671e7562

SHA512
a62b6c063fa60282f0b7b210a2a4e82cb815113d64835542e948c3f61de3da94d88c6b473f7531f2c16ded659f2fbbffdf37d7a5e352fc473275cad2715418fa

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
e876bf3bd7d7db57ef3d794aab9acbab

SHA1
f464933316462bdf31e5da364af26777bd037407

SHA256
03badd03dbad358f44f33e4b6030ab6078327d94e40f1307901c09b4320d8852

SHA512
a6a3076808f70761b2f7f38462db068087f5e735a2c3e4131865feb2eeee09e44dad9f1b5775ccc41e825bead944df17dd2c2ee301eb606ca141b66d4bebbb03

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
c7a55536ff3f0dfc90410a9d19176d29

SHA1
5d7121cd6befebfe559ab331c8cdf819de73e8dd

SHA256
efcaab9fc2d700abec26951a7bef1066dd411505d2b0f53016f37f65fbd506df

SHA512
91db08a21a10bd30e44010e405e4399897f3d3b85e118eb71db126f79cc5d9ff67a115defdee940007b9a3eaaefd4246c5cf92d728abcd997b3d22097c050943

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
11c49b8f25ef2f3dcfef5460a6c4cefb

SHA1
99ec00a50cfce39045a7ee4e0244140fb7cd0fbe

SHA256
34467c47522e88520894918ad97c646fa05c57d3acb3d033018cbeced46427be

SHA512
087da237122ebcc87538b5a219725fff1fce3d9a4ae96e6f107fe1730c7cca4e6062badf1038ec08336e350bf2faa3aa5c4dfbdb450d44454889ba5b8d399388

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
9be1b93f0b0611f2680e77574fe55f56

SHA1
d9b3ca7a508654caa9ceda21b7495c507581f085

SHA256
e2c04eddb8d1053591d3fad5db1181e12f031ec9d6823757a27986307058ab28

SHA512
480a737a0485af3af315c3dc7f0114b3d9e0bb854bd2b583b69bdd220fcbc4d38ac83828f10490512ab257d1cc505ed9e17e48341d3311d468874fe13db324e9

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
e0d07f030a9572f2480114dcde74408d

SHA1
580e8604aaf10a46ce8153aee03a5c1099807263

SHA256
8a696b6200de20b6272dcd390ece6b446565f5f2122f2ba829e40c165b42d576

SHA512
3e743c5ded7bc7f65298aba45bcfc3c7fcf8bca282cebc191c25cc8eaca640429f279b603c790d1561be599212d13e719d399875ff249e480fafce505b0e63c2

Download Submit
memory/116-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/116-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/412-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/412-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/744-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/744-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1096-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1096-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1140-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1140-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1416-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1416-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1480-360-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1480-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1536-372-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1536-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1580-368-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1580-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1676-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1676-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1680-283-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1748-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1748-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2152-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2152-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2160-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2160-245-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-302-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-366-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2484-275-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2556-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2556-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2592-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2592-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2636-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2636-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3176-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3176-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3220-359-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3220-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3276-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3276-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3304-282-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3304-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3452-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3460-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3460-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3480-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3480-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3636-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3636-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3640-373-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3640-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3744-367-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3744-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3840-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3840-375-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3912-326-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3912-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4040-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4040-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4100-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4100-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4140-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4140-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4164-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4164-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4460-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4460-374-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4512-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4512-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4520-353-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4520-371-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4556-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4556-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4812-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4812-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4828-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4828-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5028-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5028-273-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads