b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Size

89KB
MD5

7b630bad2ab0e7bd871141414a474e70
SHA1

49a5b9e8c1b44666656e57a7f2730c81706c0038
SHA256

b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22
SHA512

47f82f9e1eb66abea132ef3248e1ba21fb83cf8b8dfefa4d9974ea2306defbd7c0f3b2fa30c546a6db0ef996b55948342066e5f1c8f163a849e32bf5d72b8117
SSDEEP

1536:TOag0dDxpDsuC8ZIQ5AkOvabMsm/H+8kmacdlExkg8Fk:T57tvouCwIeA3s2HGmacdlakgwk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe

Executes dropped EXE 30 IoCs

pid	Process
1948	Beihma32.exe
4792	Bfkedibe.exe
2528	Bnbmefbg.exe
2620	Bapiabak.exe
3060	Chjaol32.exe
2584	Cndikf32.exe
3712	Cenahpha.exe
2612	Cfpnph32.exe
468	Cmiflbel.exe
2952	Ceqnmpfo.exe
4780	Cfbkeh32.exe
3180	Cagobalc.exe
3040	Cfdhkhjj.exe
4280	Cmnpgb32.exe
2664	Cjbpaf32.exe
3216	Cegdnopg.exe
4876	Dfiafg32.exe
2912	Dopigd32.exe
4692	Danecp32.exe
2112	Dhhnpjmh.exe
3592	Daqbip32.exe
1976	Dhkjej32.exe
3544	Dkifae32.exe
1560	Deokon32.exe
2876	Dfpgffpm.exe
3380	Dmjocp32.exe
408	Daekdooc.exe
3584	Dhocqigp.exe
3972	Dknpmdfc.exe
688	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2412	688	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1948	5004	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe	82
PID 5004 wrote to memory of 1948	5004	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe	82
PID 5004 wrote to memory of 1948	5004	b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe	82
PID 1948 wrote to memory of 4792	1948	Beihma32.exe	83
PID 1948 wrote to memory of 4792	1948	Beihma32.exe	83
PID 1948 wrote to memory of 4792	1948	Beihma32.exe	83
PID 4792 wrote to memory of 2528	4792	Bfkedibe.exe	84
PID 4792 wrote to memory of 2528	4792	Bfkedibe.exe	84
PID 4792 wrote to memory of 2528	4792	Bfkedibe.exe	84
PID 2528 wrote to memory of 2620	2528	Bnbmefbg.exe	85
PID 2528 wrote to memory of 2620	2528	Bnbmefbg.exe	85
PID 2528 wrote to memory of 2620	2528	Bnbmefbg.exe	85
PID 2620 wrote to memory of 3060	2620	Bapiabak.exe	86
PID 2620 wrote to memory of 3060	2620	Bapiabak.exe	86
PID 2620 wrote to memory of 3060	2620	Bapiabak.exe	86
PID 3060 wrote to memory of 2584	3060	Chjaol32.exe	87
PID 3060 wrote to memory of 2584	3060	Chjaol32.exe	87
PID 3060 wrote to memory of 2584	3060	Chjaol32.exe	87
PID 2584 wrote to memory of 3712	2584	Cndikf32.exe	88
PID 2584 wrote to memory of 3712	2584	Cndikf32.exe	88
PID 2584 wrote to memory of 3712	2584	Cndikf32.exe	88
PID 3712 wrote to memory of 2612	3712	Cenahpha.exe	89
PID 3712 wrote to memory of 2612	3712	Cenahpha.exe	89
PID 3712 wrote to memory of 2612	3712	Cenahpha.exe	89
PID 2612 wrote to memory of 468	2612	Cfpnph32.exe	90
PID 2612 wrote to memory of 468	2612	Cfpnph32.exe	90
PID 2612 wrote to memory of 468	2612	Cfpnph32.exe	90
PID 468 wrote to memory of 2952	468	Cmiflbel.exe	91
PID 468 wrote to memory of 2952	468	Cmiflbel.exe	91
PID 468 wrote to memory of 2952	468	Cmiflbel.exe	91
PID 2952 wrote to memory of 4780	2952	Ceqnmpfo.exe	92
PID 2952 wrote to memory of 4780	2952	Ceqnmpfo.exe	92
PID 2952 wrote to memory of 4780	2952	Ceqnmpfo.exe	92
PID 4780 wrote to memory of 3180	4780	Cfbkeh32.exe	93
PID 4780 wrote to memory of 3180	4780	Cfbkeh32.exe	93
PID 4780 wrote to memory of 3180	4780	Cfbkeh32.exe	93
PID 3180 wrote to memory of 3040	3180	Cagobalc.exe	94
PID 3180 wrote to memory of 3040	3180	Cagobalc.exe	94
PID 3180 wrote to memory of 3040	3180	Cagobalc.exe	94
PID 3040 wrote to memory of 4280	3040	Cfdhkhjj.exe	95
PID 3040 wrote to memory of 4280	3040	Cfdhkhjj.exe	95
PID 3040 wrote to memory of 4280	3040	Cfdhkhjj.exe	95
PID 4280 wrote to memory of 2664	4280	Cmnpgb32.exe	96
PID 4280 wrote to memory of 2664	4280	Cmnpgb32.exe	96
PID 4280 wrote to memory of 2664	4280	Cmnpgb32.exe	96
PID 2664 wrote to memory of 3216	2664	Cjbpaf32.exe	97
PID 2664 wrote to memory of 3216	2664	Cjbpaf32.exe	97
PID 2664 wrote to memory of 3216	2664	Cjbpaf32.exe	97
PID 3216 wrote to memory of 4876	3216	Cegdnopg.exe	98
PID 3216 wrote to memory of 4876	3216	Cegdnopg.exe	98
PID 3216 wrote to memory of 4876	3216	Cegdnopg.exe	98
PID 4876 wrote to memory of 2912	4876	Dfiafg32.exe	99
PID 4876 wrote to memory of 2912	4876	Dfiafg32.exe	99
PID 4876 wrote to memory of 2912	4876	Dfiafg32.exe	99
PID 2912 wrote to memory of 4692	2912	Dopigd32.exe	100
PID 2912 wrote to memory of 4692	2912	Dopigd32.exe	100
PID 2912 wrote to memory of 4692	2912	Dopigd32.exe	100
PID 4692 wrote to memory of 2112	4692	Danecp32.exe	101
PID 4692 wrote to memory of 2112	4692	Danecp32.exe	101
PID 4692 wrote to memory of 2112	4692	Danecp32.exe	101
PID 2112 wrote to memory of 3592	2112	Dhhnpjmh.exe	102
PID 2112 wrote to memory of 3592	2112	Dhhnpjmh.exe	102
PID 2112 wrote to memory of 3592	2112	Dhhnpjmh.exe	102
PID 3592 wrote to memory of 1976	3592	Daqbip32.exe	103

C:\Users\Admin\AppData\Local\Temp\b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe
"C:\Users\Admin\AppData\Local\Temp\b2897a94af1ba5d38d6a6be3d0a8cffc91ad653f8936409d2d74d201e28bad22N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\Beihma32.exe
  C:\Windows\system32\Beihma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\Bfkedibe.exe
    C:\Windows\system32\Bfkedibe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\Bnbmefbg.exe
      C:\Windows\system32\Bnbmefbg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 412
        32⤵
        Program crash
        
        PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 688 -ip 688
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
89KB

MD5
eac270276a5a8793b0deee6b53ef9da4

SHA1
9c5c3b1b31c46018a14b84fec7d4da3ea5d3efde

SHA256
02ef0cb91c1775d9dd0ef20406f7e176eb2fb9e4dc44e96520e7b31a8a646c4c

SHA512
beb7995c66256ddcd8c642159894710293bcdac8ff7f2fdb4ede2b3ce0b24fe34502d6cd2395c3040e3bcc609b9769f916e410af2a8110be76ca1885bae6ef4b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
d41b07a85ffa2b1e134688a319b56757

SHA1
52da9860133a89b5f47c6c18ba44b9c9a183a815

SHA256
4b5cf3c10aaed7d45db08039093aefe49559402c6e8ca9a7d1b11a565c761a5b

SHA512
dbc32462a5a72b0d46b028a00aa5d628f21e28571e6f7478edca5b704218fa4c90ba6a2cc9898f272b43fc5580963b37db8b4b6889c6bbfcb970674e9c242d83

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
89KB

MD5
216e13c711df92cb4275a2ad4b0c9314

SHA1
504d6140475dd6d5bacefd7c92bd6a98864fec3a

SHA256
fc3c463e4af4e96a6c97ad6951473e50bf18fece02b06cf0fa842e144bd3ec08

SHA512
84dc3e92f3511c1c2a2efa4e7a8b05ae13483ebdb3342a2e47f28d1f0bfa265cd01707c341b40c13fc6d063e76dfcf78d55d22edf0a0097b2b1865496d5bb54a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
89KB

MD5
0b1d81f06bd7e58a3cb9bc5eec0f93b1

SHA1
c25a44ca18102b585b63313eb5dabec3f4a2a80f

SHA256
425f369dc20c2e25c1b00d27e340936771dbf45b48dbef0241fd85a4f9d958e6

SHA512
000c3b7d34782bbc8ce03948e6962f5e692843e830d7e2cf4a582d117aee5274c84632c1e9ccc736a7133cd4bda3d749f4b19fc4fcb80dbd8c6ececf4319d386

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
89KB

MD5
e6e4c89fe55e475631fe6370370b9d5b

SHA1
f7c8703a0511d12129b36cd1b9bbdd30d5426ea1

SHA256
f3bbe4fbe1cda2369c198ebcac857152a3e5d6630f6421dbfdc6bb0442ba24f1

SHA512
07fd6587bdde00c7c0b1410365204ffc0163c8b4adc8d209227d2634299c759d6a9b65e98b494f054bece3dea4bb35d32c69d99b3e8f6764ac15d9890af4ba2e

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
89KB

MD5
fa63b318f9768ddf106b99504336e670

SHA1
bcf2dd891a9955bd93eecf918f6c20d6d49ea0d7

SHA256
1474614b4020c53aa2e71619af4df545a62e0e6fbe5eb7b5dd44096c0a16c193

SHA512
199395991a0955366238006e2cb08b595c0a8b3ceb3f39f1ddd3cc3009c3c2ac4ced545f8c345446b3aef61927299a50bdb87cde6afcd11d4e6d4f1cd5337fd1

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
a4bba228d6e9c107a59f940afcf2f4cb

SHA1
08b49116f0e9f809abda3af873e72901cfedc886

SHA256
1917a78c90bae47d609dd4a41c8b90b1583b22fbde4e540c398701e3f286edb7

SHA512
4ede032702723aeb17fc6802a9ac570b88225d86ed931f0b6199f3b61351e79b6c753425c01ceb3c97a833c52fe4b62380cb88b4e44afe15cd77612a976cbc3f

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
89KB

MD5
2dce6c804b2d0aca8e90e4f388f32b86

SHA1
3527f54ab14443c30e9445debb4e7e3a7c52d391

SHA256
6e3a6095ba17584cf1032d6deed07224e586b5ded6a15ff719a95dce7ef94b6e

SHA512
f16ea08145c09589cf6e617c606036d16165fb75d41a420222ad7b2f591e8653b3afcf706fc2c5fb0b83363fa12222a5ebf4caab5eb500258144549b03d29a18

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
89KB

MD5
1f6a94799a273c2fe2b4c627e01b0c02

SHA1
18b0568646e7d62b98a2351a31f4cf24ccff8ab3

SHA256
a3a1a3ac93bec64131795e7da9585f04a5ab40c40c63b60b00ff36ad9cf70595

SHA512
a7215dff81388f2b14a2f76a3452e61c4f311dea93ce6dd1b95f64db89d0b30d965610a90091441e7d5e3b138adca8c5b3240a466f97731ce1483e74f8c6ca66

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
89KB

MD5
eb9c97477ab7d75caad809a0ef1cd258

SHA1
463a5aed46da64d8428751ca4cb4eac25595d386

SHA256
e5794f3b17d2d01a2da0f6415ddaa467191451376840cd30c0689c2f14dc50f3

SHA512
32528579120dd3c814b1aa9697473fb6f0a7b22a6cf7ab890de02df07edb6ded2f4f68b1a339df2079b8122ea9b16a6a4f4a8938a573dda7477f7785740f2ffa

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
9ff47ec6a3959f6bc42230b8ca4f1625

SHA1
0de5584a92da69f15dedbc7230ab896305df7bb6

SHA256
06c3e615660a76f27fae351a36acd9ec7a4a7891419646b7a146f955a04e90f1

SHA512
7e1193bbae7a47a57be714a6370fc2e836f569c6d1bb5c351e50cf98213f0c316b50b1b2705229545a558b7fcb3e5a9fd592ce50c448b5c0606d24d7c0183252

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
89KB

MD5
77014ab9b97a2dcf415b2be382681457

SHA1
b8d89b8294d00eb257c00e7342548fac89655532

SHA256
4dcc6802de71181e58c3d98981cba8e17f231e9b8f3c158aff652271c09efb08

SHA512
a16f0efdd15190643f20c545de30e6fc1dcd3cfb00b921cc76d2e3270fd73ffe8d09b5ecc58dfc6ffc240a05277cdc3d3f426372f4c98078cb12de35f5854705

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
89KB

MD5
cf0f61c02cdf24a3ee2db493952aab50

SHA1
61829c3f9e51d3b95c0c11838d9f2ba93fa6361a

SHA256
2209ac1f46bddebbe5d547b55283fdb3136ec97455656fbb63666b073471eeb9

SHA512
86ed5021af685c9651f519e1de85559b7bbc2dc9faccb2249c5af0a8779e9efdf326b5a0fc974c0af6bf9ce5f5e94298fcb0d764f99fbb8b7255c685acb83491

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
89KB

MD5
a746f3ae463ed12f4a0475be2d614d7a

SHA1
1bf1db48a4e4d3eb21b924bf17649ebde0fcedd6

SHA256
886de5040e5144bff5f8279ce2bedd6a51554396f54b613fce887ec43290a7d4

SHA512
ae4a0c3130cb947bcb2d3c0bcae783608e15da5ab4930297a18a5b98cfd8f0fd9fe04e11ed77618026e182ca687ab4a507332da65321ae33ef6958d2f4149ac5

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
89KB

MD5
19f89026afad5856664f4b36e82a0d19

SHA1
d5c953900b75bff2ed4fce1dd36de2c6ba064e2a

SHA256
8a23fe642b4755b2062b4aeba8ad48735c04037725891c38a84677ab796bd7bb

SHA512
019653bb14775e660b2b8cff44a035696b316502b23545e7b1fe426a591e22008b3ff195de3222bd1b112a9f548d1110aa182140740d6ed0f30490ad9e5ceca5

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
89KB

MD5
9a2f15c68a4168a9aaf80f663cc10538

SHA1
05bf37b60bf982924182a05f8ccba3eb5d97d163

SHA256
daaa609abd1462cdcb2ca796fdcc0115831f41faa8528bf79e08b7cdbb2c9427

SHA512
3decc6470e9e073c180fc78d35703d31027c9674fec6447fbabc22e9e0627bb5944eeb14bcf344f899655cc6a0e495757638f79ae04c22c5446d9f0d671bf5c8

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
89KB

MD5
249d02e9441b89b47627b7e743f9af37

SHA1
2ede32da2c00cd1f95d16ebf3861743900a29926

SHA256
47730629388c252f43e099876aa82dc04e909b304a6e292dea23eb269cc001b6

SHA512
5ede29e7b99e0a03aee462f6ef5d2453df72de421d232cda9abbd5597e76f1c38d38acbf3d559bff57b124bf9c7d221e198cffd121a65873d3eb746f0379a332

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
89KB

MD5
3b14a46c9197a27639d060a6cef43584

SHA1
0e6807abfb9786cb4a6bdf552e43da408116ee42

SHA256
0581aac16f6e1714a4d9a5fc1e04694c86f5d9aedbe8ba0203ee6d58c39b6e18

SHA512
e07c9ab7fe2dfcb0f5a8eea340e9835a09bb2ed48aff35198b7d18936948494e1b0937e6178e3ddb83e727eb592caa0e75c970fa26769ad7bdc16b092e0a24bd

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
89KB

MD5
5f8490cacb7614b0fad9cb807160424f

SHA1
ab506971c35aef179dd6332864a8376a913a9d90

SHA256
a4ffbd17b7141a6b9e75c41ab52bbcd46465470b8665a640e5e6d3724ccad6d3

SHA512
adce0276f2b8e502b024d81009ab11b3df2d8583af0f5e1a40f400a72e27a77a5faecd778b3e8397f5613152d45b4758dac0a903d5c22e3f6132dcba3a820fdb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
89KB

MD5
d44dd4e8e18f4718155fedbca2a69e55

SHA1
318601ec2b9f29532788f92a4c4058da49f09dab

SHA256
704eb466416636f7649bb46a57d1f6b409f4b7773154a3db51d1bd9f98e93141

SHA512
a2b2f0ac539c02cea6be83fa6688f5fd8f520a575cc68958d6fa5951b1c6259e322b6eb15d33a932454231fe3e5194ec629b8e3edfdeb08c4c76509b5611bf08

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
89KB

MD5
2d998312a532e2fde3961d481f3ea204

SHA1
0affe195240988b29cc535c580973ee509f2b3aa

SHA256
751909003426a4f0e2c1bbfd66021460e8a07d9ca021e1ba9e540788fe1be2f7

SHA512
672e32c8eb2638ae3f75a0c2c4b96e3a272ec3d835af3da810ffdad8b96aff86ecad49eb584a7d7b3e10164d9dbf6d249b5116700160d9faf8900be440e39f2c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
89KB

MD5
4b5bd291229a3d9779c9d5ffb0706427

SHA1
696989b6fa9f2f871f2df21aa3597f7ea83e9e0d

SHA256
22ee02759e58527ab54b3c5129be9a66f498e389375b5965dc1d6f7d62210f46

SHA512
0e5581fb5c8ab95909ec15e2e816affea787458255cda9bccd65a059b3e9ca26191155d31f6707d5187965fca96207e4e066af4a9c65ec15257554f2454bd1a0

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
89KB

MD5
df97d12c094f174e96514227137d8a37

SHA1
289a5ffd730f454adf97dae2b28440ae850b7ec9

SHA256
3f542542008916226d95ab87e9058bba469594cad96ee5c2927bd39b15e51f09

SHA512
65c2517f46052c32373aab6e2b5922f79d1aa45dad8b6f345e0ebae43be55c43747a658481e3bea21355734e8130712c5ea02ccab51b9f23782f4bc363d59098

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
3e0f63ae880cceb0d881b1033add90fa

SHA1
2db72f0c52d00a35f915b55d7476d7f85ca044d7

SHA256
a1f393eca29ed8cd58e6f41ba4c805a71ee210f67a643570225633f35a88e946

SHA512
2fe790a8ca0f6f4cacf558966d59c8dd42bf339e1517bd0985bee63bf55cd99ce8422f7ffeda9c262e0aa988d6c3e9f324e85965e33ae90e88b636fca8df9396

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
89KB

MD5
4be1ea081529f3417e1df22172499d3f

SHA1
d192f9b924ba9ddac70a11abb211b380baa649e3

SHA256
1f5c1a015a3cac5b39f6bfa3c1f5aa4ecf16af6b0c8a07242effc7ece20fdb08

SHA512
8b71fb4b1a91ee99b51b99653141843cbcca6c4ba5355a5166dca9741e12b7ae7d24d4172afc13c8dc929420fb2c25a52d78ef84909177c3b7611c7e2f914081

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
89KB

MD5
d721a50c6e9879148cccdae6e942b290

SHA1
742a2e6b19d2f838a4da5d9aac4c76e5ebf49c91

SHA256
e4feebb3a12102122abf5f04212b4b901fc62a1ff0393feebf08508f895e7d05

SHA512
0660ed4303d4662b1ede92a4e1fd80d37d3fc92f4fdb6bf21b0da42daf304d2f9182a1009b889d309118179592394a36e1ec6bbf6376a20b55864f11c8ec65f1

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
89KB

MD5
09d5139a4df3e6ff857593bff8e1ad9f

SHA1
8c4f8630b5f955a5d61142302ddb2ddcb0e51406

SHA256
8a06a046394b534badcf0009598843d13bfb2f9cdb5f29e511bbcd93df59f4d1

SHA512
e27fce516470a2986ad1feb90a15c2e4d3846e36e647f52c31dcbb565c277ad9ea32244774d3362f013fea74e231666e171dd4ae1416953ff6217cbe0b3ab80c

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
89KB

MD5
a45cc40a037274aae551c9cbab5700f6

SHA1
7999fd6f28f1b3d9b44c878f5d5eaae2861ff017

SHA256
580e42f8e82768215d2ed8f75b656f7904ee7239941ff00c006a2eb2fa81a16c

SHA512
7294f5fa7615cb3fe0c928d793c57519130d621941837085a52c5bd0514c94169de67ab306a9afb2e9951cee6b274ab0004d0616e9910fda21566c4683bb7352

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
89KB

MD5
7e30a40bb25bf1034e370fe553830de7

SHA1
75b70144c87d49ef7dc9c242aaa0ba2310753193

SHA256
53813d9055ecfa414299593f5be6d848b20fe95e481ce22f7af9776bf971d899

SHA512
fc342cdad57692a5a1f681fbfe4a11ee7c847ab39cf16c077909be0361325a4bdf94cfc6fa3d704f26c0b6b4a1087f198d837464913b99fee00d1400e203537e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
f3d4b2ef6dde1d27366dfcd30294ed96

SHA1
6bcec0a2533c7171241bb0b888c0dd1916028799

SHA256
12d2d730406e728d5d37e8506b5871cbab1ff95cb02739b88213a954c3824d5a

SHA512
6d0397fc80b1ef22b65075b142959f8f70a4a6a7e2e9aaf01b89bcd609dd0a9cc1cf9b8e74fcbe0cd96ce4243768480cabe1ef29d213034b3af4d6e9eae8b544

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
89KB

MD5
fda9306e22c28940cf9bd14c8ede00e2

SHA1
112b16e6d990b079f2f6bb9fee3a692574e7afb2

SHA256
c8492ede751a0ca867d452cbfbe996408b0dff9079c7e7fea89eb3763a4b0108

SHA512
1591f258c63b65a9a9b8eea1739fd3c3ee452830387cacae1a21fad0df432a96651f1d6f57b4835f77a81b60f3b34e339eb920afc4d533387e29384ace2119e5

Download Submit
C:\Windows\SysWOW64\Jfihel32.dll

Filesize
7KB

MD5
44b478afd338ce6ed8b2bc90040da6c9

SHA1
2d1f01e7e4d46ef43b6337a3662e384d81a74716

SHA256
961f0e7327680bef690301230352902e1d30e7ebfc94e2a9ffecbf37c0180893

SHA512
b607895790e9e3578e98aba2cb700b64de241e7bc8eb6edef038674a154201e9b5a5c5968534d1454cddc58f33b128ef60ef8b87eb7b514a8fd4fa5cf68e4f09

Download Submit
memory/408-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/688-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads