e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1dd

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Size

320KB
MD5

d1f12aafeb3d9b001c83865a8e4d6030
SHA1

59670fe6a21f9c26e351724b56a433e23a345976
SHA256

e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1dd
SHA512

82f9968e36a9580dabd11b7c8a2520d8828e78701aa37ff909868ed7ccd6f7d48afb7d62b9c45f37bdf25530d1ed329e28e9b93ca06c9a06bbb378ee505eaf17
SSDEEP

3072:jiDxE/8F7Ey8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqN:j0K8F7GZgZ0Wd/OWdPS2L8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe

Executes dropped EXE 28 IoCs

pid	Process
4772	Bknlbhhe.exe
2604	Bdfpkm32.exe
3012	Bgelgi32.exe
4632	Conanfli.exe
3724	Cponen32.exe
5048	Chfegk32.exe
2452	Chiblk32.exe
3204	Cocjiehd.exe
4512	Cnfkdb32.exe
3000	Cpdgqmnb.exe
4864	Coegoe32.exe
2528	Cnhgjaml.exe
1972	Cpfcfmlp.exe
1936	Cdbpgl32.exe
4616	Cgqlcg32.exe
1684	Cklhcfle.exe
1104	Cogddd32.exe
3168	Dafppp32.exe
4660	Dpiplm32.exe
4676	Dddllkbf.exe
2656	Dgcihgaj.exe
2128	Dkndie32.exe
3036	Dojqjdbl.exe
624	Dnmaea32.exe
3980	Dpkmal32.exe
3692	Ddgibkpc.exe
1680	Dgeenfog.exe
4092	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Conanfli.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Mqnbqh32.dll	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dgeenfog.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
File opened for modification	C:\Windows\SysWOW64\Bknlbhhe.exe	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Conanfli.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Hgncclck.dll	Coegoe32.exe
File created	C:\Windows\SysWOW64\Jcknij32.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Cocjiehd.exe

Program crash 1 IoCs

pid	pid_target	Process
2948	4092	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojqjdbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4772	5036	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe	85
PID 5036 wrote to memory of 4772	5036	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe	85
PID 5036 wrote to memory of 4772	5036	e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe	85
PID 4772 wrote to memory of 2604	4772	Bknlbhhe.exe	86
PID 4772 wrote to memory of 2604	4772	Bknlbhhe.exe	86
PID 4772 wrote to memory of 2604	4772	Bknlbhhe.exe	86
PID 2604 wrote to memory of 3012	2604	Bdfpkm32.exe	87
PID 2604 wrote to memory of 3012	2604	Bdfpkm32.exe	87
PID 2604 wrote to memory of 3012	2604	Bdfpkm32.exe	87
PID 3012 wrote to memory of 4632	3012	Bgelgi32.exe	88
PID 3012 wrote to memory of 4632	3012	Bgelgi32.exe	88
PID 3012 wrote to memory of 4632	3012	Bgelgi32.exe	88
PID 4632 wrote to memory of 3724	4632	Conanfli.exe	90
PID 4632 wrote to memory of 3724	4632	Conanfli.exe	90
PID 4632 wrote to memory of 3724	4632	Conanfli.exe	90
PID 3724 wrote to memory of 5048	3724	Cponen32.exe	91
PID 3724 wrote to memory of 5048	3724	Cponen32.exe	91
PID 3724 wrote to memory of 5048	3724	Cponen32.exe	91
PID 5048 wrote to memory of 2452	5048	Chfegk32.exe	92
PID 5048 wrote to memory of 2452	5048	Chfegk32.exe	92
PID 5048 wrote to memory of 2452	5048	Chfegk32.exe	92
PID 2452 wrote to memory of 3204	2452	Chiblk32.exe	93
PID 2452 wrote to memory of 3204	2452	Chiblk32.exe	93
PID 2452 wrote to memory of 3204	2452	Chiblk32.exe	93
PID 3204 wrote to memory of 4512	3204	Cocjiehd.exe	94
PID 3204 wrote to memory of 4512	3204	Cocjiehd.exe	94
PID 3204 wrote to memory of 4512	3204	Cocjiehd.exe	94
PID 4512 wrote to memory of 3000	4512	Cnfkdb32.exe	95
PID 4512 wrote to memory of 3000	4512	Cnfkdb32.exe	95
PID 4512 wrote to memory of 3000	4512	Cnfkdb32.exe	95
PID 3000 wrote to memory of 4864	3000	Cpdgqmnb.exe	96
PID 3000 wrote to memory of 4864	3000	Cpdgqmnb.exe	96
PID 3000 wrote to memory of 4864	3000	Cpdgqmnb.exe	96
PID 4864 wrote to memory of 2528	4864	Coegoe32.exe	97
PID 4864 wrote to memory of 2528	4864	Coegoe32.exe	97
PID 4864 wrote to memory of 2528	4864	Coegoe32.exe	97
PID 2528 wrote to memory of 1972	2528	Cnhgjaml.exe	98
PID 2528 wrote to memory of 1972	2528	Cnhgjaml.exe	98
PID 2528 wrote to memory of 1972	2528	Cnhgjaml.exe	98
PID 1972 wrote to memory of 1936	1972	Cpfcfmlp.exe	99
PID 1972 wrote to memory of 1936	1972	Cpfcfmlp.exe	99
PID 1972 wrote to memory of 1936	1972	Cpfcfmlp.exe	99
PID 1936 wrote to memory of 4616	1936	Cdbpgl32.exe	100
PID 1936 wrote to memory of 4616	1936	Cdbpgl32.exe	100
PID 1936 wrote to memory of 4616	1936	Cdbpgl32.exe	100
PID 4616 wrote to memory of 1684	4616	Cgqlcg32.exe	101
PID 4616 wrote to memory of 1684	4616	Cgqlcg32.exe	101
PID 4616 wrote to memory of 1684	4616	Cgqlcg32.exe	101
PID 1684 wrote to memory of 1104	1684	Cklhcfle.exe	102
PID 1684 wrote to memory of 1104	1684	Cklhcfle.exe	102
PID 1684 wrote to memory of 1104	1684	Cklhcfle.exe	102
PID 1104 wrote to memory of 3168	1104	Cogddd32.exe	103
PID 1104 wrote to memory of 3168	1104	Cogddd32.exe	103
PID 1104 wrote to memory of 3168	1104	Cogddd32.exe	103
PID 3168 wrote to memory of 4660	3168	Dafppp32.exe	104
PID 3168 wrote to memory of 4660	3168	Dafppp32.exe	104
PID 3168 wrote to memory of 4660	3168	Dafppp32.exe	104
PID 4660 wrote to memory of 4676	4660	Dpiplm32.exe	105
PID 4660 wrote to memory of 4676	4660	Dpiplm32.exe	105
PID 4660 wrote to memory of 4676	4660	Dpiplm32.exe	105
PID 4676 wrote to memory of 2656	4676	Dddllkbf.exe	106
PID 4676 wrote to memory of 2656	4676	Dddllkbf.exe	106
PID 4676 wrote to memory of 2656	4676	Dddllkbf.exe	106
PID 2656 wrote to memory of 2128	2656	Dgcihgaj.exe	107

C:\Users\Admin\AppData\Local\Temp\e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe
"C:\Users\Admin\AppData\Local\Temp\e576ea736cffa9ee1232e78c798bcd0759c28cf4a9644415c143749f2d12e1ddN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\Bknlbhhe.exe
  C:\Windows\system32\Bknlbhhe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\Bdfpkm32.exe
    C:\Windows\system32\Bdfpkm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Bgelgi32.exe
      C:\Windows\system32\Bgelgi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
      - C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 400
        30⤵
        Program crash
        
        PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
320KB

MD5
def64a457ddfba0d7d782b0a15f55e69

SHA1
5ef2ec2e0863612a693993717c6f2a1b22bc6fa7

SHA256
27ab4056594d2ab3646facf190f93eaf3227bf0f0b47f5460f0e17bbe310d2e4

SHA512
edf6c9ce1f1d8ad215895e6a43f79432b4ca27344ff24ec651199c4eab8f11c0b01690a785b99a96b6e86aa40ab6462ec6fba330d0e3776aea9cfa71ac23c88e

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
320KB

MD5
96a5dc595cbf83f2d7069e437e1a7fcc

SHA1
87e1d5befb2038d66b1516f20e5cb675854952b4

SHA256
0281419ccbbbed6cffc39ca44ee454f79038a8de9a871d4599f89a13f049aec4

SHA512
e2b0dc6f2b98c20bef6f8b33ad248cf90c743a0a6eef496b85ab1a99686b6f1bc96ed7d88a13e01d6cdc966c853355415292db30ffcc59438511c6a9a8a980e6

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
320KB

MD5
dd2f009840f369148a32bde0d1cbcbf7

SHA1
3f7499a30a2d7df23070b7950a306e8bca58fc2a

SHA256
82b2adc237645868668d708609c5eb9cd644e29f35d6e903a1ba6d76fd087059

SHA512
39273f6e5bfc77e6bf2ff16137a481aac7ebcd91809d230d8ae7f4f301627a933741b858a070f6fba379bb0676d84ae261aab494a0f45a335488245e4219a508

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
320KB

MD5
bfc9d0c9d196ba748cf28c8f1f7ced3a

SHA1
4540a43e51c280412f78a52e184ac1ec6c776ea1

SHA256
44d547d5ca23cf4eac626034c958ed64aa6bf3eb09bf04367d1cea34ead8a9ed

SHA512
c945c9a5d80700a91ebac2e96c63aca150225184b9a51256af4a03905b2cdbd1b209609847b033818b716b600ca052c390e028ec5392b0a1d251c265a03b01ae

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
320KB

MD5
37b77145c9f8ef58dfd8cb3acc9cd747

SHA1
854fce5df79f063560ff8f5e698fcbc76f9aba77

SHA256
7403f81801b42e3338263b13bb2a32f927b5b5f128eb6b96bfeb49cec662b9a3

SHA512
cf29f4db68cc6f7b079ff4546e6e5430de4fb8db3a3969a6c68abe56cdf044a69ede278ca2f4e692a6dfe596866b78a201951e7e1875adf98a089974c832204d

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
320KB

MD5
c84b3cb2cbb7fa10d3bb37ceaad5960f

SHA1
fbef6ae04e31b2321721b62fcc810d3173e90e28

SHA256
52dde3e269125849797790dc5a497aa9dc1ea83a43335037e139707005486abf

SHA512
158dc42683d7e7c0e2248c873b133ca68610e96947002dc7c7f9b3f10ded86d855a8b5c175d96adc351337a00dfad4abae3fbdaf99f548f4c2470a56c818c617

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
320KB

MD5
f5031775178dbb0fdbf0d518ffd1ab2c

SHA1
064b73ad94a560bc723d7331e26eab4655983712

SHA256
1df79c9bfdae20d74f3d6790591dba8dfa054cd24975d6053c8dfa6c7d5d69ad

SHA512
ae4786930ea26cd89225864604cbba57912ffd5b79c149db76f22e3326daf80e2746b6e352feea0dc01e6eb56e31c935403f9739b99feb8178859ab1f1ef8e51

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
320KB

MD5
2b1690f4b3c848b04642fdf530c5cd86

SHA1
69d8b8a9418384f6d1e1616e67c298275ca92234

SHA256
0b18a0c9fb3ba7d9e717e12582a9c9fd986f0157dd10cb880c5a48dd6175a2d7

SHA512
bce588218f0d400e7823c06fc43db9b31e6a72be4dbb9f81d28525291c382614efb4b14b2a98dea57ea6aeab461b35ea8d5a9150efe566d415099418de39f84f

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
320KB

MD5
dc8e7c90bd4bb4a786145cfc942f6ddd

SHA1
8cff14f5d70bd745626f9a13acf318932142478c

SHA256
05ba210f72a954470e561a67424e822e38fcad12122c12120bd2c2e5ad68ea89

SHA512
5e786808c2921272948ce249bb3128eaf6c1e3e584342528fd656fb3e1c55d5102ea8c19ed0b03bdde8383d37837c34cb6c260d21834fa463f8f9507a54f16e2

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
320KB

MD5
e3ad04fac2ece5ab0f8d509e0f6ef627

SHA1
e1a47a1eca0ead9d8a1ecf3628da3fd69211c29f

SHA256
44dcc535a1b9b3fd8082a9b190a9fbe7023dbe8621d9c0e22ef75088fc170810

SHA512
d7146f51d2fa7dd113df7e2704a28cabb9d23338d4c1da32503b19371ddfbe5d00b08fd12658249379b96cc03f982b9b5182c99f4fd38f3e7e43c1401946f17f

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
320KB

MD5
c1880f3f4bf5595fc8d09ac7cee2664c

SHA1
421e5954ee2c338ecbf7bb6a6b0d998fc510e72c

SHA256
c53c5230435e38550d70af9d56998d301d3f253f0d5f1b9bf889f0a22dfa1d61

SHA512
d1b3407710bc757af92d8e19019b3c49c26900b6c09ad160234ff6e3b115020b55ea992335cfb00315b90c03a151d2c47fd251290e9733d1fe56c5a450430be3

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
320KB

MD5
bd8a4844526d0fa22a7f64bbb049e527

SHA1
3090eced320b113049bfcd8d9bee73736509fb2b

SHA256
8644a68499e26ad61925957f3d96687732b79a0899976229656360b3be1f9742

SHA512
b6752afe9b3e299fbed5706eb012782bc786405eeedb05fbe3b5151876a4c253ae6911d23d420b7bef98b121e591f0858ac7647388963a8f7c20350c9643bfa0

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
320KB

MD5
86b35e296169de5d6d5daf7ddb63f0bc

SHA1
1687edf782e6cc50edd988b75108c392054212eb

SHA256
5e5ff8cb7a572d83faeb7a57bcc7153d9d60ba78119911d6872d685b527fb562

SHA512
412f311fae9a4b5e35a78398922909f2a494202528144d65db60f3cc22a2685ee4c24ab2d6682566979bb4158022ca2f8c8108b9bf6e5bd5382f1cf122c76fcf

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
320KB

MD5
96e84c21a84a6c235a6764ba7d506acf

SHA1
afcd418fa637209fce1d9c357a2e758d7177ae02

SHA256
123bb547f947965b5973506306773cd8e39286cd1bbdfa9e5fca5ca4b5d9b543

SHA512
78bc94f010d1856dfc6aacf58d757f2786b7e0b10dec2800fa90cb4d40f9152d448cf72589fa04e82911783a009a13b15bdb68d5ae2adcc8f9b4b4d93f954ec3

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
320KB

MD5
66a7b83dcaf3b37fbe2e1b51752f908e

SHA1
81b28141d18893180ce637c0aae5a0e7b91e8640

SHA256
5b4321c8ea5c16aeb79c34e861237061d758824c4ec721ee880317a73398e486

SHA512
f9f067b19f9ec810f28b32a98ff1115aa99237b6ad2830fdaef52403d5e20c01aa63610d260d419dc306385cd038b35dc5667deef5464eaabb8d7e637b1dd05c

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
320KB

MD5
88cba51867375143482e4a865264c658

SHA1
f8eebe4cb3f9fc769386767424bff283cd1e5c5d

SHA256
c4b059b73dbc449e4fd79969eb24a48740925b3e418fca5f3461226a22d0e90d

SHA512
c099834d905f5e4d8530824c4f139cae7ce5d5bf60d4ac8e49110a48f874946d033c59cbbcd97577e0614ae3fc8b19d775576b3cdd150337fb9b8b8ab4f2dece

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
320KB

MD5
2f8c32ba0692096911e5974e6b4d364d

SHA1
5bf666992addbbe4bed48010360417c733c9903a

SHA256
57bd46e9dfae60824f58bcfa608d462a49975c33fcf7b824731ed3d9b6df99dd

SHA512
160058e2d53b1e81dc57e187c3d71203680cd90b5ac1521dd31288546af0ff82de42be4d9522bede4d84b399836a0843d894c663686f1fd591838e6d5c626d9c

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
320KB

MD5
51a4fa214bbae17f5093bacfabd882ef

SHA1
454a3909182bbb058619032960c006dc5b63ee24

SHA256
d7fd77c4c826e3c8bd7d4129640c0ac070155c056ddde1cd79121ab25fdf6a4a

SHA512
a8925e4f2f6aa47483a2513de76ec54b9bfa257eeba5c02f5555adf654a0baf328a6978079664f72276e1291366026a1a4fa1145c9f5c303dd526cee51a9609c

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
320KB

MD5
d364b66222934c7aceb35b36d5403d09

SHA1
0a383a1b37405f2fc3c44a298d7d258104e3bd34

SHA256
4823169228d1f6acabf3cecd2aea40ecb3864805a21a340df87cc79c71f27f0a

SHA512
d851f129b6e49c8a2ea56e4c57ef398ee426b19f042192e4db04526216f17a7b63498022eff9f4db8c766497668208027b32012bfd2beb60a7c76c8a2cd9954d

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
320KB

MD5
4de7d8c7c9611a48a8cc7785b442ee01

SHA1
99c170dc1c6eae482782b877047cbb56b0d8dea9

SHA256
5ac35d5c83bf8976b7916d23577f33e2f128eb4f09868703dcf2ef616867a626

SHA512
c83acd8ac738bd36e9dc098b6f608e3360f373bb0d4a9a209f56239a31f7b0918731852bd5db42c765894c6e63bdb662c7f321ac59cc1efb3d30b3ad498a1b3b

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
320KB

MD5
cac3fa253ca288fc6b3484988ba81bd9

SHA1
b71a389447e0c6c3bf140e73ed6a58d15450d434

SHA256
e4b4d18a01568c449cd9a47a7307789dd8337caef7c49da2a630b8d15fbfa89b

SHA512
1be7128a68fd6232a39fd27f8176459c654ca6d3d0da94995f31ea9cf026aefbb6cc820cc5367dfb3613c405c60512ece837b924f9499d77556de6f65ef4569e

Download Submit
C:\Windows\SysWOW64\Dgeenfog.exe

Filesize
320KB

MD5
01b8184dc2f4c667e99b7e39ff23183a

SHA1
03cfd9e1a3d008dfb8e31e33821eff691e949223

SHA256
33078017badcb40324210e912ec311bca77f96d3ea5259c9408e3b9b614fd342

SHA512
17750f882e2aee3728d5cb9188bdf4af106ab74b30e0db4deebdb02cdcdbfca33687f7e1c46b8ea42ee9fb9d7b2618bb24c9b79bf411462c65fec8e24a24ab64

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
320KB

MD5
33a8304dcb749a48371fe454a192fe08

SHA1
b341cfd9e8da9ab67a6c46ab97e1c7c4433ea18d

SHA256
3cdde3a9deee6d7a704665d91d7e311b23cff2e02cea9b90be84d003a7431e97

SHA512
47b4de3172b9795e78050d8c51f8bd1cc6df752e71b71cbf1d3341d13a2d39c61bedec3c04506644784bf3d4d9821bb153ad437b07445a690bad534e1fc6e352

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
320KB

MD5
8e476cd82e95b00a0e219846f3b5b6d9

SHA1
fae49eaac5970252c3bf8594ffc4e6b80142ed67

SHA256
4905ef2f4fc500d76cb5abd962bb194ed5328294c311fc8ad2255b1d21c62f04

SHA512
221914a12def335bbfeaf92e627642c56e7c97eb1eb19456e57b499480ebc3257efb8e5199e9bb1907ffad1c97c7ab5ac05c0b0b1281cb282c08fe7dce414206

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
320KB

MD5
517b96d22adea016cae28ce834051a43

SHA1
4a2c14cfc5d1ddd01a3c69b47d74b638c803bff9

SHA256
a9fcb6b14c243522ec80d37354f239c2045784cf8d48a840298f801ae2e745d1

SHA512
20559eab00a360a56eb4128bd90f109769e87ae282d464900b16c2ece369bbc7f7a41f5e303fc3edff3f130b8d8201e801ac63e005a5f2d9773004eacf3e010c

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
320KB

MD5
af88f2289763d70fec8ef77445fc0c08

SHA1
052f1b02015b53216c383d738dbbb338dae6ffc6

SHA256
46b7b3a450cf441e657f4fbe2c589432bc2b46a13f54dba1e12c7e1be4413c8c

SHA512
ee5a15ea6d872b6ac4ce8dd85cac0fde5245094250aff952e01f02f2a79c0098ae52609785a6a3b63c672d1ab14791929309cc7814cb547d062d8860b15982b3

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
320KB

MD5
9da9500b022026ae09ab4010086c668f

SHA1
15909604302667583bb8538b9d1289f52425185b

SHA256
1dbb94e46e5bb5d3b4dd8996ee7283f13c61859773ca879ea16a5375934ac486

SHA512
adb0f24d727bb2da09ce6682ebe18913a51502064f969c531754cb1f3e2325ba89ba09b153ccf2408cba8c629fc1e6cfa4fe6d76e17eada7bf2f58516043857b

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
320KB

MD5
82e928e88fdf1d55f00703501130423e

SHA1
cdcae545f3db10228784554d53efaadcc7f60baf

SHA256
04b08814361e4ada90c70ec7a3bd7745a284569ecd7c66ec894c5f113d42a45e

SHA512
0276c27b091a607a48b04cf582b087e2dc7f1655d6ec8e04386918a097f1e3f89eb05899229de6f0fc4ab33ac8e8aa3dbf5971cc5a3547e796ace2f1ac862d14

Download Submit
memory/624-232-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/624-194-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1104-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1104-246-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1680-226-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1680-219-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1684-248-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1684-131-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-117-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-252-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1972-104-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1972-254-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2128-178-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2128-236-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2452-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2452-266-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2528-256-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2528-100-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2604-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2604-276-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2656-238-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3000-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3000-260-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3012-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3012-274-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3036-234-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3036-187-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3168-244-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3168-147-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3204-264-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3204-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3692-228-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3692-211-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3724-270-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3724-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3980-202-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3980-230-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4092-224-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4092-222-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4512-262-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4512-77-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4616-250-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4632-272-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4632-31-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4660-156-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4660-242-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4676-163-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4676-240-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4772-278-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4772-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4864-258-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4864-93-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5036-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5036-280-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5048-48-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5048-268-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads