a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681

Analysis

max time kernel
84s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Size

67KB
MD5

42499d22801c26b9c187e0fd47e1ec54
SHA1

265f9f55fba58dba31350740aea46b61710ad5bf
SHA256

a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681
SHA512

e9cf5f1fa42763e4a39ab2828def1e16bf5273552263e390f13f0e1422f670d6fa47e79b4c9985a724a6f275161d7402e2ed8d24236f45940d08e977bf058ea0
SSDEEP

1536:hc2B98P9MK9m3RLrk6BjVIqpvpLB4T44X1Ap4IlneAoXq8KRQ3R/Rj:VB9Wj0RLrHBXpvZBC44FhK+Qe3Vx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbpplglj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbmaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkajlph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banggcka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banggcka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdflfjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebmgc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebmgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bedjmcgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahlphpmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bakkad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckaodmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckaodmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbpplglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbbmaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfdbkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdflfjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahlphpmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dchcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbifgln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbifgln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfipgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkajlph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedjmcgp.exe

Executes dropped EXE 15 IoCs

pid	Process
1744	Ahlphpmk.exe
3060	Bebmgc32.exe
2700	Bedjmcgp.exe
2716	Bakkad32.exe
1704	Banggcka.exe
2600	Cfbifgln.exe
2640	Cfdflfjk.exe
2840	Ckaodmhb.exe
2056	Cfipgf32.exe
3032	Dbpplglj.exe
2908	Dbbmaf32.exe
2484	Dkkajlph.exe
1644	Dfdbkj32.exe
1100	Dchcdn32.exe
1112	Dbmpejph.exe

Loads dropped DLL 34 IoCs

pid	Process
2436	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
2436	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
1744	Ahlphpmk.exe
1744	Ahlphpmk.exe
3060	Bebmgc32.exe
3060	Bebmgc32.exe
2700	Bedjmcgp.exe
2700	Bedjmcgp.exe
2716	Bakkad32.exe
2716	Bakkad32.exe
1704	Banggcka.exe
1704	Banggcka.exe
2600	Cfbifgln.exe
2600	Cfbifgln.exe
2640	Cfdflfjk.exe
2640	Cfdflfjk.exe
2840	Ckaodmhb.exe
2840	Ckaodmhb.exe
2056	Cfipgf32.exe
2056	Cfipgf32.exe
3032	Dbpplglj.exe
3032	Dbpplglj.exe
2908	Dbbmaf32.exe
2908	Dbbmaf32.exe
2484	Dkkajlph.exe
2484	Dkkajlph.exe
1644	Dfdbkj32.exe
1644	Dfdbkj32.exe
1100	Dchcdn32.exe
1100	Dchcdn32.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bebmgc32.exe	Ahlphpmk.exe
File created	C:\Windows\SysWOW64\Bakkad32.exe	Bedjmcgp.exe
File opened for modification	C:\Windows\SysWOW64\Ckaodmhb.exe	Cfdflfjk.exe
File created	C:\Windows\SysWOW64\Aiakfn32.dll	Cfipgf32.exe
File created	C:\Windows\SysWOW64\Bdiphm32.dll	Dkkajlph.exe
File created	C:\Windows\SysWOW64\Dchcdn32.exe	Dfdbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Dbmpejph.exe	Dchcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bedjmcgp.exe	Bebmgc32.exe
File created	C:\Windows\SysWOW64\Banggcka.exe	Bakkad32.exe
File opened for modification	C:\Windows\SysWOW64\Banggcka.exe	Bakkad32.exe
File created	C:\Windows\SysWOW64\Bgmcekbd.dll	Cfdflfjk.exe
File created	C:\Windows\SysWOW64\Dfdbkj32.exe	Dkkajlph.exe
File opened for modification	C:\Windows\SysWOW64\Dfdbkj32.exe	Dkkajlph.exe
File created	C:\Windows\SysWOW64\Dkkpkkoa.dll	Bakkad32.exe
File created	C:\Windows\SysWOW64\Cfdflfjk.exe	Cfbifgln.exe
File opened for modification	C:\Windows\SysWOW64\Cfipgf32.exe	Ckaodmhb.exe
File created	C:\Windows\SysWOW64\Obgogjmp.dll	Ckaodmhb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkajlph.exe	Dbbmaf32.exe
File created	C:\Windows\SysWOW64\Klhjlbpq.dll	Dchcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ahlphpmk.exe	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
File created	C:\Windows\SysWOW64\Bebmgc32.exe	Ahlphpmk.exe
File created	C:\Windows\SysWOW64\Pcghicbm.dll	Ahlphpmk.exe
File opened for modification	C:\Windows\SysWOW64\Cfbifgln.exe	Banggcka.exe
File created	C:\Windows\SysWOW64\Cfipgf32.exe	Ckaodmhb.exe
File created	C:\Windows\SysWOW64\Gifikp32.dll	Dbpplglj.exe
File created	C:\Windows\SysWOW64\Cpamgobk.dll	Bebmgc32.exe
File created	C:\Windows\SysWOW64\Jjjljj32.dll	Banggcka.exe
File created	C:\Windows\SysWOW64\Ckaodmhb.exe	Cfdflfjk.exe
File created	C:\Windows\SysWOW64\Nepenl32.dll	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
File created	C:\Windows\SysWOW64\Dbbmaf32.exe	Dbpplglj.exe
File created	C:\Windows\SysWOW64\Dkkajlph.exe	Dbbmaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dchcdn32.exe	Dfdbkj32.exe
File created	C:\Windows\SysWOW64\Ahlphpmk.exe	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
File created	C:\Windows\SysWOW64\Gnaqdnnd.dll	Bedjmcgp.exe
File created	C:\Windows\SysWOW64\Fdkkoa32.dll	Cfbifgln.exe
File created	C:\Windows\SysWOW64\Dbpplglj.exe	Cfipgf32.exe
File created	C:\Windows\SysWOW64\Fpecfg32.dll	Dfdbkj32.exe
File created	C:\Windows\SysWOW64\Dbmpejph.exe	Dchcdn32.exe
File created	C:\Windows\SysWOW64\Bedjmcgp.exe	Bebmgc32.exe
File opened for modification	C:\Windows\SysWOW64\Bakkad32.exe	Bedjmcgp.exe
File created	C:\Windows\SysWOW64\Cfbifgln.exe	Banggcka.exe
File opened for modification	C:\Windows\SysWOW64\Cfdflfjk.exe	Cfbifgln.exe
File opened for modification	C:\Windows\SysWOW64\Dbpplglj.exe	Cfipgf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbbmaf32.exe	Dbpplglj.exe
File created	C:\Windows\SysWOW64\Knfplgpp.dll	Dbbmaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2244	1112	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banggcka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckaodmhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbbmaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmpejph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebmgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakkad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdflfjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkajlph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfipgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbpplglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dchcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahlphpmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedjmcgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbifgln.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiakfn32.dll"	Cfipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfdbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bakkad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbifgln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bedjmcgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banggcka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdflfjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbbmaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepenl32.dll"	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfdbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkpkkoa.dll"	Bakkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgogjmp.dll"	Ckaodmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckaodmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifikp32.dll"	Dbpplglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbbmaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahlphpmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahlphpmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dchcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcghicbm.dll"	Ahlphpmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banggcka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmcekbd.dll"	Cfdflfjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbpplglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpecfg32.dll"	Dfdbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebmgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bedjmcgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjljj32.dll"	Banggcka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckaodmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfplgpp.dll"	Dbbmaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkajlph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dchcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bakkad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbifgln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdflfjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bebmgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpamgobk.dll"	Bebmgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkkoa32.dll"	Cfbifgln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkajlph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiphm32.dll"	Dkkajlph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhjlbpq.dll"	Dchcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnaqdnnd.dll"	Bedjmcgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfipgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbpplglj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1744	2436	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe	29
PID 2436 wrote to memory of 1744	2436	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe	29
PID 2436 wrote to memory of 1744	2436	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe	29
PID 2436 wrote to memory of 1744	2436	a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe	29
PID 1744 wrote to memory of 3060	1744	Ahlphpmk.exe	30
PID 1744 wrote to memory of 3060	1744	Ahlphpmk.exe	30
PID 1744 wrote to memory of 3060	1744	Ahlphpmk.exe	30
PID 1744 wrote to memory of 3060	1744	Ahlphpmk.exe	30
PID 3060 wrote to memory of 2700	3060	Bebmgc32.exe	31
PID 3060 wrote to memory of 2700	3060	Bebmgc32.exe	31
PID 3060 wrote to memory of 2700	3060	Bebmgc32.exe	31
PID 3060 wrote to memory of 2700	3060	Bebmgc32.exe	31
PID 2700 wrote to memory of 2716	2700	Bedjmcgp.exe	32
PID 2700 wrote to memory of 2716	2700	Bedjmcgp.exe	32
PID 2700 wrote to memory of 2716	2700	Bedjmcgp.exe	32
PID 2700 wrote to memory of 2716	2700	Bedjmcgp.exe	32
PID 2716 wrote to memory of 1704	2716	Bakkad32.exe	33
PID 2716 wrote to memory of 1704	2716	Bakkad32.exe	33
PID 2716 wrote to memory of 1704	2716	Bakkad32.exe	33
PID 2716 wrote to memory of 1704	2716	Bakkad32.exe	33
PID 1704 wrote to memory of 2600	1704	Banggcka.exe	34
PID 1704 wrote to memory of 2600	1704	Banggcka.exe	34
PID 1704 wrote to memory of 2600	1704	Banggcka.exe	34
PID 1704 wrote to memory of 2600	1704	Banggcka.exe	34
PID 2600 wrote to memory of 2640	2600	Cfbifgln.exe	35
PID 2600 wrote to memory of 2640	2600	Cfbifgln.exe	35
PID 2600 wrote to memory of 2640	2600	Cfbifgln.exe	35
PID 2600 wrote to memory of 2640	2600	Cfbifgln.exe	35
PID 2640 wrote to memory of 2840	2640	Cfdflfjk.exe	36
PID 2640 wrote to memory of 2840	2640	Cfdflfjk.exe	36
PID 2640 wrote to memory of 2840	2640	Cfdflfjk.exe	36
PID 2640 wrote to memory of 2840	2640	Cfdflfjk.exe	36
PID 2840 wrote to memory of 2056	2840	Ckaodmhb.exe	37
PID 2840 wrote to memory of 2056	2840	Ckaodmhb.exe	37
PID 2840 wrote to memory of 2056	2840	Ckaodmhb.exe	37
PID 2840 wrote to memory of 2056	2840	Ckaodmhb.exe	37
PID 2056 wrote to memory of 3032	2056	Cfipgf32.exe	38
PID 2056 wrote to memory of 3032	2056	Cfipgf32.exe	38
PID 2056 wrote to memory of 3032	2056	Cfipgf32.exe	38
PID 2056 wrote to memory of 3032	2056	Cfipgf32.exe	38
PID 3032 wrote to memory of 2908	3032	Dbpplglj.exe	39
PID 3032 wrote to memory of 2908	3032	Dbpplglj.exe	39
PID 3032 wrote to memory of 2908	3032	Dbpplglj.exe	39
PID 3032 wrote to memory of 2908	3032	Dbpplglj.exe	39
PID 2908 wrote to memory of 2484	2908	Dbbmaf32.exe	40
PID 2908 wrote to memory of 2484	2908	Dbbmaf32.exe	40
PID 2908 wrote to memory of 2484	2908	Dbbmaf32.exe	40
PID 2908 wrote to memory of 2484	2908	Dbbmaf32.exe	40
PID 2484 wrote to memory of 1644	2484	Dkkajlph.exe	41
PID 2484 wrote to memory of 1644	2484	Dkkajlph.exe	41
PID 2484 wrote to memory of 1644	2484	Dkkajlph.exe	41
PID 2484 wrote to memory of 1644	2484	Dkkajlph.exe	41
PID 1644 wrote to memory of 1100	1644	Dfdbkj32.exe	42
PID 1644 wrote to memory of 1100	1644	Dfdbkj32.exe	42
PID 1644 wrote to memory of 1100	1644	Dfdbkj32.exe	42
PID 1644 wrote to memory of 1100	1644	Dfdbkj32.exe	42
PID 1100 wrote to memory of 1112	1100	Dchcdn32.exe	43
PID 1100 wrote to memory of 1112	1100	Dchcdn32.exe	43
PID 1100 wrote to memory of 1112	1100	Dchcdn32.exe	43
PID 1100 wrote to memory of 1112	1100	Dchcdn32.exe	43
PID 1112 wrote to memory of 2244	1112	Dbmpejph.exe	44
PID 1112 wrote to memory of 2244	1112	Dbmpejph.exe	44
PID 1112 wrote to memory of 2244	1112	Dbmpejph.exe	44
PID 1112 wrote to memory of 2244	1112	Dbmpejph.exe	44

C:\Users\Admin\AppData\Local\Temp\a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe
"C:\Users\Admin\AppData\Local\Temp\a8cbc0b3143086a328d8b1d1e24cab47267325dde3cae692302b6705fe4fb681.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\Ahlphpmk.exe
  C:\Windows\system32\Ahlphpmk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Bebmgc32.exe
    C:\Windows\system32\Bebmgc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Bedjmcgp.exe
      C:\Windows\system32\Bedjmcgp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Bakkad32.exe
        
        C:\Windows\system32\Bakkad32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Banggcka.exe
        
        C:\Windows\system32\Banggcka.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Cfbifgln.exe
        
        C:\Windows\system32\Cfbifgln.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Cfdflfjk.exe
        
        C:\Windows\system32\Cfdflfjk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ckaodmhb.exe
        
        C:\Windows\system32\Ckaodmhb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Cfipgf32.exe
        
        C:\Windows\system32\Cfipgf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Dbpplglj.exe
        
        C:\Windows\system32\Dbpplglj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Dbbmaf32.exe
        
        C:\Windows\system32\Dbbmaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Dkkajlph.exe
        
        C:\Windows\system32\Dkkajlph.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Dfdbkj32.exe
        
        C:\Windows\system32\Dfdbkj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Dchcdn32.exe
        
        C:\Windows\system32\Dchcdn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Dbmpejph.exe
        
        C:\Windows\system32\Dbmpejph.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahlphpmk.exe

Filesize
67KB

MD5
70ed509d80f479177c1eb4eea96c9260

SHA1
05cf0a7cd1fd356de26ea1d4189b62f771ae2be5

SHA256
ecf5a05ebd15bd346d9b7343fc8f0fced478531543eeb629eee14affd21b7dfa

SHA512
3fbd2e4f0df1aba64d3a149a0c2ff101d915d4522e795da3b1a2907e724b52b52d3dd6f1a0dbcedbce6b9131c36e5a43a7dba3d9ab0c8a06ba0607e3b38add30

Download Submit
C:\Windows\SysWOW64\Dkkpkkoa.dll

Filesize
7KB

MD5
8642c2cb46cf24adbd5f95babfd4b804

SHA1
c06a74925e45479f83a9980a91e1e757b57976f0

SHA256
eb8ce30f50220a35688402537ada6f7dbfe6f4f816a76437311de9105055f018

SHA512
5d2740b5474b1b6ade35b9211b8c5a1ec235b7600b12d1e8fa763dbcff2f3dc2fec7207b368bd2c6a8e7d8556ecf3b6789425f19552cec25228258af09e7b98e

Download Submit
\Windows\SysWOW64\Bakkad32.exe

Filesize
67KB

MD5
2aac804975302adc248abced2d8fcd08

SHA1
12eb81b95d3646c289dea9e6b28ac3ac59ce2ffe

SHA256
91530bebf86d3b27056102c4731711f6eee8984aa4d6f6de20a05cf8a174b5fb

SHA512
2a1cc3e6efb4b47d03c97c10a033632a0bc3d9359224ebff3d80a18f0bf496e11861052a7b45b5bfe4980b86af8d580c500ff463eec8f97f14bd278c2840e1f3

Download Submit
\Windows\SysWOW64\Banggcka.exe

Filesize
67KB

MD5
d7c6e49fca5eccae3a9af37f9e3176d9

SHA1
46fa59e3ae245e55cb4cc9c77196ab2d5533fd2b

SHA256
55a8a2df2114b440a1fefd79c32ef21520e13dc447aa8e6f42fe5b9e0156516a

SHA512
99b6b16e2219c5802603a0fa1e5b8c78b61430e09bfc023b082658403bb180d31c027252762e1271d2ec0a0047033c9bc926cb27ef825c0cdd3f7818abfa0bc9

Download Submit
\Windows\SysWOW64\Bebmgc32.exe

Filesize
67KB

MD5
a5e9dcee62861229f47af1a2051084ef

SHA1
e27f6215b830cbc6f134e21f5ba2c99e1a5b47c5

SHA256
997a87b8919d1fec77865c300f9e063240530c558e17ee1aedfd711056cd3575

SHA512
6d2459b1dcf0b120e1620c357710206d32f4f023ff65b5da18f8df9edfb7053e4cddf58daf81818dbe250a8b9dfc8d0a1650baa40650e9bd104a5a3bfb0c6cfb

Download Submit
\Windows\SysWOW64\Bedjmcgp.exe

Filesize
67KB

MD5
2fa4bbc042762c7461e85144adcdda97

SHA1
0a7b681957a19fe171c6ef3cf2e4ee0d83ad5c28

SHA256
aea260a77e5b528e263a8b2c23c3462f7e1e82d524a4f82f77b5bcb7166a8f11

SHA512
23396055565d97005af00626e59c716ea62d44619ce22a9a8d693365800f9de16f791bb00a7922888d7c16d141f5456ab64a4e17d6f77f43afcc9f66ec7b9b92

Download Submit
\Windows\SysWOW64\Cfbifgln.exe

Filesize
67KB

MD5
2b244e68f09c5734b92f82d8637d6cea

SHA1
13082639ffd2a76c62aaef10b54787956ad46cf0

SHA256
ab610a447701ad153a0ae4801ecb6ecd65dae80eb3aabed8a6e9cd013abb219c

SHA512
1d01581f828e17ff95a187d6f216ece4cb3f85550e48aad3b0781df26e97b3b865ef8a92ea734f724762fa926ac319bb323c334d1541e0bf1d39ae6cf879b5fd

Download Submit
\Windows\SysWOW64\Cfdflfjk.exe

Filesize
67KB

MD5
49459ff968010a21ad530ccecc4eeed0

SHA1
89fd924ed1d9498bcb713f555e300e74b525f003

SHA256
10c8c15728f70693d4e36fc0dd84d4a0350cc15a158306fe115ec371e2090492

SHA512
ae08c7af24c6ac86271b152ff7b4fcf566e7e58361a1e2bab3a2324d192fd11a5036f40002456df213b12ffb2a887ae6a65ad64c24a23a06482252859d5635df

Download Submit
\Windows\SysWOW64\Cfipgf32.exe

Filesize
67KB

MD5
c6449045a997a9677f2fe8833bfcde21

SHA1
71dc13145b9d3294d1aeea932da2b50ca4acb1d2

SHA256
c89242f156ce6da20ac3b1ecf0b5fae3f1eacaf501bfead04e288b1797fa2647

SHA512
ab787c3049447ce5a9a1fe79c056b5a3748a0bc9ab2f16c9fb148156df65813a17f6ef04106b7149796f0e5492748be119732effcb5ab31f72503763add1e633

Download Submit
\Windows\SysWOW64\Ckaodmhb.exe

Filesize
67KB

MD5
61217916bc91effcae79afaf553042f3

SHA1
a85116c42c579563cbb7a087e03897449ed18a28

SHA256
356c1a27258c1e714d29af98d27ad609ff946eaadb79446166df7d07f54ecf53

SHA512
0c617c0e6e37f2782f24f36929d05ae4886de5c7a46d87b3dd14dbf04e2047965350cd3e65b51b55d0c7230983f082cad39ec28bba618bf853c49139ba91dcd5

Download Submit
\Windows\SysWOW64\Dbbmaf32.exe

Filesize
67KB

MD5
d4957b721498c118b4e420929acce853

SHA1
258321bd0633de43a5b1f3cddf2c9c724349dc95

SHA256
1a7c9cb43b980ef2be57e0227651a10fd5d3434d09302ea89d69224b42617469

SHA512
1769e9f263ce60819c83a8e82a4942d03dff74f0dbfd77f86ad92b52f416f12a8d4d4b8ce62abbaf3297578336cd3072cb78cfb111a98a31bd865917471fade4

Download Submit
\Windows\SysWOW64\Dbmpejph.exe

Filesize
67KB

MD5
8c0091fdeeb6f3c4b0b635be7bc522af

SHA1
3057cf9e5fcac0dbb7b46be2614a8d2b9446836a

SHA256
fd4806a701c1c65ca97c023e2c78df60cd2f6d0f1329744ed3ab437c5144dbd1

SHA512
5716c1d736d781ab8c3fa29ee7aeb5825194ee5778c434b368655f1bce5f3f052fadc401e1ee293a7a35b47026ced3aa5207208d282a2a1dacf805bbea5135cc

Download Submit
\Windows\SysWOW64\Dbpplglj.exe

Filesize
67KB

MD5
3531b136e0308eedeb9b78fe3f53e171

SHA1
50f586511c90e87320d0d27f94f901505beb8da3

SHA256
8d2341e0bbe95295538567d917ff0abd53c782c4ea9c63d43b5e3d9c335ddb4f

SHA512
d7f19588c8b83fac84b9b93f654f88298530ac05a8e216eb187a4c96414f9324d8264da1314212596b175b8174bedf00dc9367e88235fc7f42f5d7030664d7f7

Download Submit
\Windows\SysWOW64\Dchcdn32.exe

Filesize
67KB

MD5
93e1ed616fd7b5abb2444bdc5250f45e

SHA1
0a43a4855b695339ae9e2177f5e292bda080b1f6

SHA256
9995ba2168ee0e097cd0aefbe53b5d67125af0dd64a2a3f307544ec40f51ef84

SHA512
2dfdaddb5bc0d167d952bd415a34f83adb8068b4f2cf1cfce52e7f97283c1fb67e735e31ef6e23ca17b601724336453dd92c33afae058f5ac1e95e1d07f7d24b

Download Submit
\Windows\SysWOW64\Dfdbkj32.exe

Filesize
67KB

MD5
ee233c8c0bd27b1b259303ffd148bbe7

SHA1
f7bfcec087a934285785b8ec7de764af5599a365

SHA256
b3b7c730c00ed39a8540d4c5f39fd7a98a4e354ef903b9b73b21cc962f56fdfc

SHA512
515cd9e497fe53a13ec0712deef6db906fe5a679c6d8a4e6037ed7bd438fc90d9e46ec6da6743703ea57367166a08e6c0185f846be6aec1856c47fbf078bc4f1

Download Submit
\Windows\SysWOW64\Dkkajlph.exe

Filesize
67KB

MD5
f89ccae8c078d6d670a9609638dec9d2

SHA1
bbe3ebdd4c415dbad9f9e6358f5cd9451209bc2f

SHA256
90e9f9af3a77f668c77c9fe2c7118a4516abe4748bc9d03df719b5aea0343cdc

SHA512
c988e29b3d290569f5327ba7ff5c7a1cd679f1f28fa6b411454ec503121ae929a007653aff7549bc8fb8528a853296ce1dd11167cdd96b8f04aeac2d24471265

Download Submit
memory/1100-196-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1100-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-183-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1644-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-75-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1704-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-129-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2436-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-12-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2436-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-11-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2484-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-169-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2484-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-88-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2640-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-62-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/2716-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-115-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2840-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-159-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2908-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3060-34-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/3060-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads