19390e82d853c95a95a931d75a9763357092f863326fae80d4e732e8f7de8243

Analysis

max time kernel
111s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee7f62288d2862ccc186ab648ede1f0N.exe
Size

60KB
MD5

5ee7f62288d2862ccc186ab648ede1f0
SHA1

1fd431ce5e6139dedec325c82e7f343babc92d70
SHA256

19390e82d853c95a95a931d75a9763357092f863326fae80d4e732e8f7de8243
SHA512

31bb9394f472a3fbabb998c0e73a87d96c528cbd08355e6676063e078b5ed8814f9a7e48d255b540c752bbae03c6966ebc48545753f3e42169680c1f66fa0d2f
SSDEEP

1536:DN0hx5NQ+42zEzdcB/xPqafibucFjrW5jzL8dvnB86l1rs:p0bU+9zicjZiFFu5jzIdfB86l1rs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5ee7f62288d2862ccc186ab648ede1f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5ee7f62288d2862ccc186ab648ede1f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe

Executes dropped EXE 18 IoCs

pid	Process
1692	Bmnnkl32.exe
2352	Bchfhfeh.exe
2260	Bffbdadk.exe
2716	Bieopm32.exe
2024	Bfioia32.exe
2836	Bigkel32.exe
2636	Cbppnbhm.exe
3048	Ciihklpj.exe
2872	Cnfqccna.exe
1980	Cfmhdpnc.exe
1148	Cnimiblo.exe
2876	Cagienkb.exe
3008	Caifjn32.exe
2324	Cgcnghpl.exe
2452	Cnmfdb32.exe
1384	Cgfkmgnj.exe
2180	Dmbcen32.exe
1524	Dpapaj32.exe

Loads dropped DLL 39 IoCs

pid	Process
2336	5ee7f62288d2862ccc186ab648ede1f0N.exe
2336	5ee7f62288d2862ccc186ab648ede1f0N.exe
1692	Bmnnkl32.exe
1692	Bmnnkl32.exe
2352	Bchfhfeh.exe
2352	Bchfhfeh.exe
2260	Bffbdadk.exe
2260	Bffbdadk.exe
2716	Bieopm32.exe
2716	Bieopm32.exe
2024	Bfioia32.exe
2024	Bfioia32.exe
2836	Bigkel32.exe
2836	Bigkel32.exe
2636	Cbppnbhm.exe
2636	Cbppnbhm.exe
3048	Ciihklpj.exe
3048	Ciihklpj.exe
2872	Cnfqccna.exe
2872	Cnfqccna.exe
1980	Cfmhdpnc.exe
1980	Cfmhdpnc.exe
1148	Cnimiblo.exe
1148	Cnimiblo.exe
2876	Cagienkb.exe
2876	Cagienkb.exe
3008	Caifjn32.exe
3008	Caifjn32.exe
2324	Cgcnghpl.exe
2324	Cgcnghpl.exe
2452	Cnmfdb32.exe
2452	Cnmfdb32.exe
1384	Cgfkmgnj.exe
1384	Cgfkmgnj.exe
2180	Dmbcen32.exe
2180	Dmbcen32.exe
1348	WerFault.exe
1348	WerFault.exe
1348	WerFault.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	5ee7f62288d2862ccc186ab648ede1f0N.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	5ee7f62288d2862ccc186ab648ede1f0N.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	5ee7f62288d2862ccc186ab648ede1f0N.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	1524	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee7f62288d2862ccc186ab648ede1f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5ee7f62288d2862ccc186ab648ede1f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5ee7f62288d2862ccc186ab648ede1f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5ee7f62288d2862ccc186ab648ede1f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5ee7f62288d2862ccc186ab648ede1f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	5ee7f62288d2862ccc186ab648ede1f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5ee7f62288d2862ccc186ab648ede1f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1692	2336	5ee7f62288d2862ccc186ab648ede1f0N.exe	31
PID 2336 wrote to memory of 1692	2336	5ee7f62288d2862ccc186ab648ede1f0N.exe	31
PID 2336 wrote to memory of 1692	2336	5ee7f62288d2862ccc186ab648ede1f0N.exe	31
PID 2336 wrote to memory of 1692	2336	5ee7f62288d2862ccc186ab648ede1f0N.exe	31
PID 1692 wrote to memory of 2352	1692	Bmnnkl32.exe	32
PID 1692 wrote to memory of 2352	1692	Bmnnkl32.exe	32
PID 1692 wrote to memory of 2352	1692	Bmnnkl32.exe	32
PID 1692 wrote to memory of 2352	1692	Bmnnkl32.exe	32
PID 2352 wrote to memory of 2260	2352	Bchfhfeh.exe	33
PID 2352 wrote to memory of 2260	2352	Bchfhfeh.exe	33
PID 2352 wrote to memory of 2260	2352	Bchfhfeh.exe	33
PID 2352 wrote to memory of 2260	2352	Bchfhfeh.exe	33
PID 2260 wrote to memory of 2716	2260	Bffbdadk.exe	34
PID 2260 wrote to memory of 2716	2260	Bffbdadk.exe	34
PID 2260 wrote to memory of 2716	2260	Bffbdadk.exe	34
PID 2260 wrote to memory of 2716	2260	Bffbdadk.exe	34
PID 2716 wrote to memory of 2024	2716	Bieopm32.exe	35
PID 2716 wrote to memory of 2024	2716	Bieopm32.exe	35
PID 2716 wrote to memory of 2024	2716	Bieopm32.exe	35
PID 2716 wrote to memory of 2024	2716	Bieopm32.exe	35
PID 2024 wrote to memory of 2836	2024	Bfioia32.exe	36
PID 2024 wrote to memory of 2836	2024	Bfioia32.exe	36
PID 2024 wrote to memory of 2836	2024	Bfioia32.exe	36
PID 2024 wrote to memory of 2836	2024	Bfioia32.exe	36
PID 2836 wrote to memory of 2636	2836	Bigkel32.exe	37
PID 2836 wrote to memory of 2636	2836	Bigkel32.exe	37
PID 2836 wrote to memory of 2636	2836	Bigkel32.exe	37
PID 2836 wrote to memory of 2636	2836	Bigkel32.exe	37
PID 2636 wrote to memory of 3048	2636	Cbppnbhm.exe	38
PID 2636 wrote to memory of 3048	2636	Cbppnbhm.exe	38
PID 2636 wrote to memory of 3048	2636	Cbppnbhm.exe	38
PID 2636 wrote to memory of 3048	2636	Cbppnbhm.exe	38
PID 3048 wrote to memory of 2872	3048	Ciihklpj.exe	39
PID 3048 wrote to memory of 2872	3048	Ciihklpj.exe	39
PID 3048 wrote to memory of 2872	3048	Ciihklpj.exe	39
PID 3048 wrote to memory of 2872	3048	Ciihklpj.exe	39
PID 2872 wrote to memory of 1980	2872	Cnfqccna.exe	40
PID 2872 wrote to memory of 1980	2872	Cnfqccna.exe	40
PID 2872 wrote to memory of 1980	2872	Cnfqccna.exe	40
PID 2872 wrote to memory of 1980	2872	Cnfqccna.exe	40
PID 1980 wrote to memory of 1148	1980	Cfmhdpnc.exe	41
PID 1980 wrote to memory of 1148	1980	Cfmhdpnc.exe	41
PID 1980 wrote to memory of 1148	1980	Cfmhdpnc.exe	41
PID 1980 wrote to memory of 1148	1980	Cfmhdpnc.exe	41
PID 1148 wrote to memory of 2876	1148	Cnimiblo.exe	42
PID 1148 wrote to memory of 2876	1148	Cnimiblo.exe	42
PID 1148 wrote to memory of 2876	1148	Cnimiblo.exe	42
PID 1148 wrote to memory of 2876	1148	Cnimiblo.exe	42
PID 2876 wrote to memory of 3008	2876	Cagienkb.exe	43
PID 2876 wrote to memory of 3008	2876	Cagienkb.exe	43
PID 2876 wrote to memory of 3008	2876	Cagienkb.exe	43
PID 2876 wrote to memory of 3008	2876	Cagienkb.exe	43
PID 3008 wrote to memory of 2324	3008	Caifjn32.exe	44
PID 3008 wrote to memory of 2324	3008	Caifjn32.exe	44
PID 3008 wrote to memory of 2324	3008	Caifjn32.exe	44
PID 3008 wrote to memory of 2324	3008	Caifjn32.exe	44
PID 2324 wrote to memory of 2452	2324	Cgcnghpl.exe	45
PID 2324 wrote to memory of 2452	2324	Cgcnghpl.exe	45
PID 2324 wrote to memory of 2452	2324	Cgcnghpl.exe	45
PID 2324 wrote to memory of 2452	2324	Cgcnghpl.exe	45
PID 2452 wrote to memory of 1384	2452	Cnmfdb32.exe	46
PID 2452 wrote to memory of 1384	2452	Cnmfdb32.exe	46
PID 2452 wrote to memory of 1384	2452	Cnmfdb32.exe	46
PID 2452 wrote to memory of 1384	2452	Cnmfdb32.exe	46

C:\Users\Admin\AppData\Local\Temp\5ee7f62288d2862ccc186ab648ede1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\5ee7f62288d2862ccc186ab648ede1f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Bmnnkl32.exe
  C:\Windows\system32\Bmnnkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\Bchfhfeh.exe
    C:\Windows\system32\Bchfhfeh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Bffbdadk.exe
      C:\Windows\system32\Bffbdadk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 144
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
60KB

MD5
c06a9b3f142fd35e30e7ae153449b904

SHA1
dfebbc42e4c347259ad2cbb30fcc6c1864318fdf

SHA256
99bc758916ac287863ee284e6dd6a8b59582b243d9da794ded896c7a2a4e76ab

SHA512
d4b60dffc3b5710f2e0d0274e791d28fa03c86324ec869c1552a61eb6953680eb450a85e2c28f35058b1e0c3d97da54ab2ec8acb616d7cbaa9941839c88c5a99

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
60KB

MD5
366f1014ab2e8135a543552a592a8df6

SHA1
1de3c140009eaf4c2e99654e9ae6aa556ae71196

SHA256
0de63a5d2b89e70cab695c03853c87c91b0d4c370cae0bd444d07f557c6ae7fe

SHA512
777edbfb74136542443db77717b3f0df299749b266c52f4fdf93d5044aa0f379ae25baa2c892587ed7f847c5d11f347b6a3ea418a26ffd3d1fff978ca3184123

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
60KB

MD5
60a13598c144e1882d3d38567923b070

SHA1
d8f5c4464ca8c4f3aeb55ba51e5677891cecb23d

SHA256
d0c040c20feb90ea9b64cc50e6b15e51c6af21d30f35866c1beca50269313b9c

SHA512
37808290339b024d5df8b1cff3abeecfa42fd357f5c8cdfd3d1cd716630f6aec4d0cde8ac3634afc3d71df613ded647a91f0d5a78b7412459b60ee438c62704f

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
60KB

MD5
477ca9861367409407594f295f2318d7

SHA1
51be619987b3be736f1007b96347de791410483a

SHA256
545f47c4fcf86318f4e3f69fc06f599f9f0d5df9dab8cadb36f8e74fd0adbe37

SHA512
daac77d1cc4321cdadfad311569695f5d983771dcd9ae55d97f49b305409404ce52034e6039c51feea82c496af7ecb587fe9eea4dac979dc6ae10e7a04b782b5

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
60KB

MD5
8046b9ed1967cb540598adc6038ad420

SHA1
beb7828753465aeae5759e74a5ef86b11479bac8

SHA256
97a4eb7e3a01be481e6c1a7c23e808b2aa3c9f6361fae38b3c921f2b4e022757

SHA512
7e5b614f06da8bdf1897beb01d402860794e800a4c0062f18e003bac2a8247cebbeaa2ffb0247404217fe1fbd870039978aa0cb19af710e4090d9c5b5b63842e

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
60KB

MD5
17756cf805711bb4198063ec92a32fd4

SHA1
6998c35f9f02c925f493ea3da6e4c8f5f54d6a9a

SHA256
8bf5814bb6de028e3ec40405e348df3bb1af1c8d9681a83325b2bf7b2a30ee48

SHA512
0ccaacf8af72368c09f2a6724a4fe99eeb267dfddcc51b2e2b6f9e66dfff8951d30b2651b58405c24faf484e4fb72e8afee978a19aaa8529a3f8c1c6c71b8909

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
60KB

MD5
f58e8529bd42111a5ed4f8ce76f90a1c

SHA1
9cbc6db6b91eeb6a514603bfbd3ee0ac01953608

SHA256
29a504af843bb67e497caa72fb5f3dc5fcfd4477b95d7251c3f3e1b9161f5d4b

SHA512
29d9a21236e46a2df844bd1ebbcea14217656c73af48c22014446cefa7006df4872da9295edef5b8db017958836a704f208fca01b446cc305ee6cbf06b0d4d96

Download Submit
\Windows\SysWOW64\Bfioia32.exe

Filesize
60KB

MD5
a122ede6a817771c531f52f34d703de1

SHA1
29ffab05008a52516689b57373fa479f933b4428

SHA256
67d94f69ac711e1577e13bc009eda9dffb4a2f7846340acdecc882d1b1f6c902

SHA512
716654b961d701db4a1d9362dcff5305e7d783599eb341b19f6ba6b64da2ecfbdff6013ea435ddde0ceb7ae9930ac2ba78b00abaae3b4f1258b41ed6a4ca5f49

Download Submit
\Windows\SysWOW64\Bmnnkl32.exe

Filesize
60KB

MD5
23471c957e05e2b601600559947e59b5

SHA1
0eaea637a5bd5d71fe70cac2d46cb2c47c69133b

SHA256
b8d5827e11d29442408e4503b0fe32810005bed3083fbaa2a1fa204e77d00162

SHA512
eb34ede9d8f84ed62768812932f20a1b59d23d0a9f836307a41edc5237724b0b558329b8fce733385691f71eb4f0bea0e570570f72082e484cbadbc6a6c81e7e

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
60KB

MD5
b3f134c666ad675f1286eb6ad83e3aae

SHA1
d69f6d6cd5fa93a561ecdf41b7b1750fe4aeceb6

SHA256
d06bfc0382dd2754f8d09c4ce8ac0c224b1bff603c0738573e1cab83e5e6d0f9

SHA512
e1de6762fc5f0a166733aabe756bc04f76a2765230cea0be9bd7cfdd1849b2e42668511f7e346c44943ba3978119b5deb1f145f8c29d2ce2c451b5ebdfe9e9e8

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
60KB

MD5
4d0f4bfd0afcf34a29c66a88fc06563d

SHA1
b582ca29cf164a45bd3105319e47c84d2582225d

SHA256
af9e35bd1b62507888091e43ba652edc94b44fb2564d0e6b9041f37a4e8bbf47

SHA512
63408badd4ffe8a5e2723fdd264474bd4d7030cf69c253da73ede97d897349b50e067ab5f22a974d98f3e0facec732b974f91f73c59bca83477e8f7be5b791f4

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
60KB

MD5
146a39dac2d2b778f5bfa0bc3fbc7315

SHA1
e6fa650b91c94ac2b05ad769cdbf78b63332c859

SHA256
358f525af7238a516664ba77ab45cc70befac0a07a1a44caef44d5068b13fe74

SHA512
687b24b3f6aefba6502d7e0fe0c7981514e90eba4dc3336289aa12533ccd8e380f1b38c3e7a4f4b76122805447ac94e6def2f7dc83d8998ef23f29f10db895da

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
60KB

MD5
b86bf9001d1528935ac59b803edc3389

SHA1
048a532b291604c3ad0bb41450a2fe530f704433

SHA256
92f8a37b9364fb7d51163d2792c1976c897d3213b8f2054bd0a19ee71c7f5be3

SHA512
0b23c7449dc1976672035a2677a884791d0728c3a98a187de3aaf248dcb54aeac0d650b5c78ed0e123af6412a66c02f97c495b1d7e934a17e6c329287273c642

Download Submit
\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
60KB

MD5
0f0e6d2502b59a600dff7b6c542741f6

SHA1
b89b32f8936929aee73b344c9e26e1240d30b6af

SHA256
fc18b6516fc8fcc57967fcf70bd889fb56d8a71344a6a39c6defe778372a761b

SHA512
c6fc7f8002ef6079e2ae2170db35fd41f43f1150f16b3d0bda7a0cd104abdc5573e252a052ce5df7e7b1ec30fe3b7680ab161234a9314a7d5bda6fd53e6400fc

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
60KB

MD5
e051071c250c12b642b8e932d6bf88fb

SHA1
d1b57fa2308d1509b7427a5bf5a22e7047b88e2e

SHA256
3fe6817d65909ef08629a04a3f19faac07e30d604e870b1f32e5ada0d7fe7c6a

SHA512
fdbda0bf5462b8eb50641632a1a00950f4deb20ce3e423ed2c8d8a7361859ab5c5b5ba40b23cc22c1d877ce9bf4149a32e2693a16a68bd61affa57345ab8a668

Download Submit
\Windows\SysWOW64\Cnfqccna.exe

Filesize
60KB

MD5
cabc3baa85db4d92f03ff05a47953b24

SHA1
be1835ebc5d045b333a3d1dc31c5b74028c258ce

SHA256
ed6b6a8f6e45f5013cc0f478de413eca9db952dbf71da36d5795a123f767b668

SHA512
69f5790b5be81120c6e73214ea0380cb773afa108a32491da96e0f270079d53214cd4853c798aebf322f4f2c4fb8984a8571feef575098dd9e1b1ed1179e5c1f

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
60KB

MD5
a42540c66b5b7487b0fdcc62f8007f55

SHA1
7c6c3f63a9bd97d31899b5edce20f3a407154613

SHA256
4cd66341e88a347c561afeb82573c126dc02e65253cf641c574905ff621175eb

SHA512
d61845f87b0b7023bdc701ae66e4001fc885accb0aa25c8d17246828c51ebd5689b5aa530f2eb816f2016a0759c2bf28a40f1f990e09bfc9132e49c26c69e619

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
60KB

MD5
7ac5670b6d507e0ebd87cc6b354ebd29

SHA1
322fcbd40c623d2d21788849b70b3ccfe34f2dc5

SHA256
eb927edacc30280b2303968f7a8a69e14d90d1a49ca1088069f2803b34b6e1b0

SHA512
ec09614b8893bd11b1f839e86498b1e1af2dbed91c86d990dded49b56754f936f4e7d45aee925e055724fe49873820000e4ff85771de384ec36e356fbb6b0f43

Download Submit
memory/1148-219-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1148-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1148-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1148-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1148-172-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1148-173-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1384-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-245-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1524-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1524-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-37-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1692-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1980-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1980-156-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1980-150-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1980-204-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1980-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-80-0x0000000001F40000-0x0000000001F76000-memory.dmp

Filesize
216KB

Download
memory/2024-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2180-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2180-266-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2180-259-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2180-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2324-221-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2324-213-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2324-260-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2324-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2324-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2324-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2336-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2336-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2336-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2336-7-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2352-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2452-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2452-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2452-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-109-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2636-171-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2636-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-111-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2636-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-65-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2716-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-140-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2836-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-148-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2836-90-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2872-137-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2872-138-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2872-185-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2872-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-234-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2876-186-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2876-183-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2876-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-236-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3008-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-110-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-119-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3048-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads