f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3b

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Size

87KB
MD5

d0b5554d192da44e8cc57890fb494ba0
SHA1

5503d819bb135731fd7a6b440e778a1e22cb40d4
SHA256

f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3b
SHA512

a7e725d9de955c24adb91e7e7af761c220a6e062c9aa1ca283b6513d5c41f088c708310fb0b3dc04780de7ac803037c1c4b4235ac1803d54016c436963c5e73d
SSDEEP

1536:KXJqrMu44BXec4X9bOAPYGuyENDSRQ4fRSRBDNrR0RVe7R6R8RPD2zx:KZu5BXe5NSByleaAnDlmbGcGFDex

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoimlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmldji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dggbgadf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmofeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcblgbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhodpidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bemfjgdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpaceg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgmolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cejfckie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cejfckie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cihojiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckndmaad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcblgbfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgmolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggbgadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caqfiloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dajiok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoimlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhdjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldnqe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqfiloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cihojiok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfdeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blodefdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmmkdkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmjhdi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjdcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfief32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfief32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhodpidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoffd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjhdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behinlkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceoooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmofeam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denknngk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmldji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blodefdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpmmkdkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhkojab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmhkojab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceoooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmjdcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpaceg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behinlkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbpcbo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemfjgdg.exe

Executes dropped EXE 35 IoCs

pid	Process
404	Bemfjgdg.exe
2756	Bcoffd32.exe
2908	Bmhkojab.exe
1112	Bgmolb32.exe
2564	Bmjhdi32.exe
2672	Bcdpacgl.exe
2132	Bmldji32.exe
1796	Blodefdg.exe
1316	Behinlkh.exe
2044	Cpmmkdkn.exe
3028	Cejfckie.exe
1992	Cldnqe32.exe
1212	Caqfiloi.exe
2104	Cihojiok.exe
2344	Cbpcbo32.exe
2388	Ceoooj32.exe
2468	Cligkdlm.exe
588	Cmjdcm32.exe
1848	Caepdk32.exe
276	Ckndmaad.exe
1864	Cdfief32.exe
1180	Dfdeab32.exe
1312	Dajiok32.exe
868	Dbkffc32.exe
2020	Dggbgadf.exe
2808	Dmajdl32.exe
2700	Dkekmp32.exe
2664	Dpaceg32.exe
2472	Ddmofeam.exe
1604	Denknngk.exe
2064	Dlhdjh32.exe
1908	Dcblgbfe.exe
2920	Dhodpidl.exe
2932	Eoimlc32.exe
2524	Eceimadb.exe

Loads dropped DLL 64 IoCs

pid	Process
1732	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
1732	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
404	Bemfjgdg.exe
404	Bemfjgdg.exe
2756	Bcoffd32.exe
2756	Bcoffd32.exe
2908	Bmhkojab.exe
2908	Bmhkojab.exe
1112	Bgmolb32.exe
1112	Bgmolb32.exe
2564	Bmjhdi32.exe
2564	Bmjhdi32.exe
2672	Bcdpacgl.exe
2672	Bcdpacgl.exe
2132	Bmldji32.exe
2132	Bmldji32.exe
1796	Blodefdg.exe
1796	Blodefdg.exe
1316	Behinlkh.exe
1316	Behinlkh.exe
2044	Cpmmkdkn.exe
2044	Cpmmkdkn.exe
3028	Cejfckie.exe
3028	Cejfckie.exe
1992	Cldnqe32.exe
1992	Cldnqe32.exe
1212	Caqfiloi.exe
1212	Caqfiloi.exe
2104	Cihojiok.exe
2104	Cihojiok.exe
2344	Cbpcbo32.exe
2344	Cbpcbo32.exe
2388	Ceoooj32.exe
2388	Ceoooj32.exe
2468	Cligkdlm.exe
2468	Cligkdlm.exe
588	Cmjdcm32.exe
588	Cmjdcm32.exe
1848	Caepdk32.exe
1848	Caepdk32.exe
276	Ckndmaad.exe
276	Ckndmaad.exe
1864	Cdfief32.exe
1864	Cdfief32.exe
1180	Dfdeab32.exe
1180	Dfdeab32.exe
1312	Dajiok32.exe
1312	Dajiok32.exe
868	Dbkffc32.exe
868	Dbkffc32.exe
2020	Dggbgadf.exe
2020	Dggbgadf.exe
2808	Dmajdl32.exe
2808	Dmajdl32.exe
2700	Dkekmp32.exe
2700	Dkekmp32.exe
2664	Dpaceg32.exe
2664	Dpaceg32.exe
2472	Ddmofeam.exe
2472	Ddmofeam.exe
1604	Denknngk.exe
1604	Denknngk.exe
2064	Dlhdjh32.exe
2064	Dlhdjh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Paebkkhn.dll	Cmjdcm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgmolb32.exe	Bmhkojab.exe
File opened for modification	C:\Windows\SysWOW64\Ckndmaad.exe	Caepdk32.exe
File opened for modification	C:\Windows\SysWOW64\Dggbgadf.exe	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Epfopk32.dll	Caqfiloi.exe
File created	C:\Windows\SysWOW64\Eejqea32.dll	Dfdeab32.exe
File created	C:\Windows\SysWOW64\Jjgmammj.dll	Dmajdl32.exe
File created	C:\Windows\SysWOW64\Bcdpacgl.exe	Bmjhdi32.exe
File created	C:\Windows\SysWOW64\Dhodpidl.exe	Dcblgbfe.exe
File created	C:\Windows\SysWOW64\Lmfnaj32.dll	Dhodpidl.exe
File created	C:\Windows\SysWOW64\Qlooenoo.dll	Bmldji32.exe
File opened for modification	C:\Windows\SysWOW64\Dajiok32.exe	Dfdeab32.exe
File created	C:\Windows\SysWOW64\Dpaceg32.exe	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Lgcpif32.dll	Bgmolb32.exe
File created	C:\Windows\SysWOW64\Ngcjbg32.dll	Ceoooj32.exe
File created	C:\Windows\SysWOW64\Cligkdlm.exe	Ceoooj32.exe
File created	C:\Windows\SysWOW64\Caepdk32.exe	Cmjdcm32.exe
File created	C:\Windows\SysWOW64\Dfdeab32.exe	Cdfief32.exe
File opened for modification	C:\Windows\SysWOW64\Blodefdg.exe	Bmldji32.exe
File created	C:\Windows\SysWOW64\Mpbgcj32.dll	Dcblgbfe.exe
File created	C:\Windows\SysWOW64\Mohkpn32.dll	Ddmofeam.exe
File created	C:\Windows\SysWOW64\Pjmbgjea.dll	Cpmmkdkn.exe
File opened for modification	C:\Windows\SysWOW64\Bcdpacgl.exe	Bmjhdi32.exe
File created	C:\Windows\SysWOW64\Dlhdjh32.exe	Denknngk.exe
File opened for modification	C:\Windows\SysWOW64\Dcblgbfe.exe	Dlhdjh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkekmp32.exe	Dmajdl32.exe
File created	C:\Windows\SysWOW64\Denknngk.exe	Ddmofeam.exe
File opened for modification	C:\Windows\SysWOW64\Cejfckie.exe	Cpmmkdkn.exe
File opened for modification	C:\Windows\SysWOW64\Cldnqe32.exe	Cejfckie.exe
File opened for modification	C:\Windows\SysWOW64\Cihojiok.exe	Caqfiloi.exe
File created	C:\Windows\SysWOW64\Dajiok32.exe	Dfdeab32.exe
File created	C:\Windows\SysWOW64\Lhgmgc32.dll	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Beboid32.dll	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
File created	C:\Windows\SysWOW64\Gpnilfoq.dll	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Obchjdci.dll	Bcdpacgl.exe
File created	C:\Windows\SysWOW64\Hhdkchcn.dll	Ckndmaad.exe
File created	C:\Windows\SysWOW64\Dkekmp32.exe	Dmajdl32.exe
File created	C:\Windows\SysWOW64\Bcoffd32.exe	Bemfjgdg.exe
File opened for modification	C:\Windows\SysWOW64\Cpmmkdkn.exe	Behinlkh.exe
File created	C:\Windows\SysWOW64\Caqfiloi.exe	Cldnqe32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Eoimlc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmldji32.exe	Bcdpacgl.exe
File created	C:\Windows\SysWOW64\Blodefdg.exe	Bmldji32.exe
File created	C:\Windows\SysWOW64\Eoimlc32.exe	Dhodpidl.exe
File created	C:\Windows\SysWOW64\Cmjdcm32.exe	Cligkdlm.exe
File opened for modification	C:\Windows\SysWOW64\Dfdeab32.exe	Cdfief32.exe
File opened for modification	C:\Windows\SysWOW64\Behinlkh.exe	Blodefdg.exe
File created	C:\Windows\SysWOW64\Fhdaigqo.dll	Blodefdg.exe
File created	C:\Windows\SysWOW64\Lgnabh32.dll	Dggbgadf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmofeam.exe	Dpaceg32.exe
File created	C:\Windows\SysWOW64\Dlfpln32.dll	Dlhdjh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhodpidl.exe	Dcblgbfe.exe
File opened for modification	C:\Windows\SysWOW64\Cligkdlm.exe	Ceoooj32.exe
File created	C:\Windows\SysWOW64\Ceoooj32.exe	Cbpcbo32.exe
File created	C:\Windows\SysWOW64\Dggbgadf.exe	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Mjijeh32.dll	Dbkffc32.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Eoimlc32.exe
File created	C:\Windows\SysWOW64\Hbbhogeg.dll	Bemfjgdg.exe
File created	C:\Windows\SysWOW64\Bmldji32.exe	Bcdpacgl.exe
File opened for modification	C:\Windows\SysWOW64\Caqfiloi.exe	Cldnqe32.exe
File created	C:\Windows\SysWOW64\Cbpcbo32.exe	Cihojiok.exe
File opened for modification	C:\Windows\SysWOW64\Denknngk.exe	Ddmofeam.exe
File opened for modification	C:\Windows\SysWOW64\Bmjhdi32.exe	Bgmolb32.exe
File created	C:\Windows\SysWOW64\Ckndmaad.exe	Caepdk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	2524	WerFault.exe	64

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhkojab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behinlkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cejfckie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmajdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgmolb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blodefdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggbgadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmofeam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoimlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemfjgdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoffd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkekmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcblgbfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldnqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckndmaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpaceg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cihojiok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbpcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cligkdlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caepdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Denknngk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjhdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmldji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqfiloi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfief32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdeab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkffc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcdpacgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmmkdkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceoooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlhdjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhodpidl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnimikan.dll"	Bmhkojab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blodefdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjibdo32.dll"	Behinlkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cejfckie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijhgopb.dll"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpaceg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapnjioj.dll"	Cihojiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeaddaj.dll"	Dajiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbpcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejqea32.dll"	Dfdeab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmjdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhodpidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdaigqo.dll"	Blodefdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caqfiloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmjdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfief32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcblgbfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bemfjgdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cihojiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceoooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoimlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cldnqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmofeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlooenoo.dll"	Bmldji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpmmkdkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll"	Ceoooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbpkc32.dll"	Denknngk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnilfoq.dll"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfopk32.dll"	Caqfiloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmajdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfnaj32.dll"	Dhodpidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgmolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dggbgadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlhdjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoimlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpmmkdkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dajiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbkffc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Denknngk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckndmaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceoooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpaceg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcdpacgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgmgc32.dll"	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbpcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblehg32.dll"	Dpaceg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blodefdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Eoimlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbkffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmhkojab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmjhdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Behinlkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbmlo32.dll"	Cdfief32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipojic32.dll"	Bmjhdi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 404	1732	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe	30
PID 1732 wrote to memory of 404	1732	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe	30
PID 1732 wrote to memory of 404	1732	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe	30
PID 1732 wrote to memory of 404	1732	f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe	30
PID 404 wrote to memory of 2756	404	Bemfjgdg.exe	31
PID 404 wrote to memory of 2756	404	Bemfjgdg.exe	31
PID 404 wrote to memory of 2756	404	Bemfjgdg.exe	31
PID 404 wrote to memory of 2756	404	Bemfjgdg.exe	31
PID 2756 wrote to memory of 2908	2756	Bcoffd32.exe	32
PID 2756 wrote to memory of 2908	2756	Bcoffd32.exe	32
PID 2756 wrote to memory of 2908	2756	Bcoffd32.exe	32
PID 2756 wrote to memory of 2908	2756	Bcoffd32.exe	32
PID 2908 wrote to memory of 1112	2908	Bmhkojab.exe	33
PID 2908 wrote to memory of 1112	2908	Bmhkojab.exe	33
PID 2908 wrote to memory of 1112	2908	Bmhkojab.exe	33
PID 2908 wrote to memory of 1112	2908	Bmhkojab.exe	33
PID 1112 wrote to memory of 2564	1112	Bgmolb32.exe	34
PID 1112 wrote to memory of 2564	1112	Bgmolb32.exe	34
PID 1112 wrote to memory of 2564	1112	Bgmolb32.exe	34
PID 1112 wrote to memory of 2564	1112	Bgmolb32.exe	34
PID 2564 wrote to memory of 2672	2564	Bmjhdi32.exe	35
PID 2564 wrote to memory of 2672	2564	Bmjhdi32.exe	35
PID 2564 wrote to memory of 2672	2564	Bmjhdi32.exe	35
PID 2564 wrote to memory of 2672	2564	Bmjhdi32.exe	35
PID 2672 wrote to memory of 2132	2672	Bcdpacgl.exe	36
PID 2672 wrote to memory of 2132	2672	Bcdpacgl.exe	36
PID 2672 wrote to memory of 2132	2672	Bcdpacgl.exe	36
PID 2672 wrote to memory of 2132	2672	Bcdpacgl.exe	36
PID 2132 wrote to memory of 1796	2132	Bmldji32.exe	37
PID 2132 wrote to memory of 1796	2132	Bmldji32.exe	37
PID 2132 wrote to memory of 1796	2132	Bmldji32.exe	37
PID 2132 wrote to memory of 1796	2132	Bmldji32.exe	37
PID 1796 wrote to memory of 1316	1796	Blodefdg.exe	38
PID 1796 wrote to memory of 1316	1796	Blodefdg.exe	38
PID 1796 wrote to memory of 1316	1796	Blodefdg.exe	38
PID 1796 wrote to memory of 1316	1796	Blodefdg.exe	38
PID 1316 wrote to memory of 2044	1316	Behinlkh.exe	39
PID 1316 wrote to memory of 2044	1316	Behinlkh.exe	39
PID 1316 wrote to memory of 2044	1316	Behinlkh.exe	39
PID 1316 wrote to memory of 2044	1316	Behinlkh.exe	39
PID 2044 wrote to memory of 3028	2044	Cpmmkdkn.exe	40
PID 2044 wrote to memory of 3028	2044	Cpmmkdkn.exe	40
PID 2044 wrote to memory of 3028	2044	Cpmmkdkn.exe	40
PID 2044 wrote to memory of 3028	2044	Cpmmkdkn.exe	40
PID 3028 wrote to memory of 1992	3028	Cejfckie.exe	41
PID 3028 wrote to memory of 1992	3028	Cejfckie.exe	41
PID 3028 wrote to memory of 1992	3028	Cejfckie.exe	41
PID 3028 wrote to memory of 1992	3028	Cejfckie.exe	41
PID 1992 wrote to memory of 1212	1992	Cldnqe32.exe	42
PID 1992 wrote to memory of 1212	1992	Cldnqe32.exe	42
PID 1992 wrote to memory of 1212	1992	Cldnqe32.exe	42
PID 1992 wrote to memory of 1212	1992	Cldnqe32.exe	42
PID 1212 wrote to memory of 2104	1212	Caqfiloi.exe	43
PID 1212 wrote to memory of 2104	1212	Caqfiloi.exe	43
PID 1212 wrote to memory of 2104	1212	Caqfiloi.exe	43
PID 1212 wrote to memory of 2104	1212	Caqfiloi.exe	43
PID 2104 wrote to memory of 2344	2104	Cihojiok.exe	44
PID 2104 wrote to memory of 2344	2104	Cihojiok.exe	44
PID 2104 wrote to memory of 2344	2104	Cihojiok.exe	44
PID 2104 wrote to memory of 2344	2104	Cihojiok.exe	44
PID 2344 wrote to memory of 2388	2344	Cbpcbo32.exe	45
PID 2344 wrote to memory of 2388	2344	Cbpcbo32.exe	45
PID 2344 wrote to memory of 2388	2344	Cbpcbo32.exe	45
PID 2344 wrote to memory of 2388	2344	Cbpcbo32.exe	45

C:\Users\Admin\AppData\Local\Temp\f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe
"C:\Users\Admin\AppData\Local\Temp\f238d436a005b23dca188b3f3b135f682bb5b38fdacebd02bfc741622bf50a3bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Bemfjgdg.exe
  C:\Windows\system32\Bemfjgdg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\Bcoffd32.exe
    C:\Windows\system32\Bcoffd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Bmhkojab.exe
      C:\Windows\system32\Bmhkojab.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Bgmolb32.exe
        
        C:\Windows\system32\Bgmolb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\SysWOW64\Bmjhdi32.exe
        
        C:\Windows\system32\Bmjhdi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Bcdpacgl.exe
        
        C:\Windows\system32\Bcdpacgl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bmldji32.exe
        
        C:\Windows\system32\Bmldji32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Blodefdg.exe
        
        C:\Windows\system32\Blodefdg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Behinlkh.exe
        
        C:\Windows\system32\Behinlkh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Cpmmkdkn.exe
        
        C:\Windows\system32\Cpmmkdkn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Cejfckie.exe
        
        C:\Windows\system32\Cejfckie.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Cldnqe32.exe
        
        C:\Windows\system32\Cldnqe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Caqfiloi.exe
        
        C:\Windows\system32\Caqfiloi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Cihojiok.exe
        
        C:\Windows\system32\Cihojiok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cbpcbo32.exe
        
        C:\Windows\system32\Cbpcbo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ceoooj32.exe
        
        C:\Windows\system32\Ceoooj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cligkdlm.exe
        
        C:\Windows\system32\Cligkdlm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cmjdcm32.exe
        
        C:\Windows\system32\Cmjdcm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Caepdk32.exe
        
        C:\Windows\system32\Caepdk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ckndmaad.exe
        
        C:\Windows\system32\Ckndmaad.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\Cdfief32.exe
        
        C:\Windows\system32\Cdfief32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Dfdeab32.exe
        
        C:\Windows\system32\Dfdeab32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Dajiok32.exe
        
        C:\Windows\system32\Dajiok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Dbkffc32.exe
        
        C:\Windows\system32\Dbkffc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Dggbgadf.exe
        
        C:\Windows\system32\Dggbgadf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Dmajdl32.exe
        
        C:\Windows\system32\Dmajdl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Dkekmp32.exe
        
        C:\Windows\system32\Dkekmp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dpaceg32.exe
        
        C:\Windows\system32\Dpaceg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Ddmofeam.exe
        
        C:\Windows\system32\Ddmofeam.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Denknngk.exe
        
        C:\Windows\system32\Denknngk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Dlhdjh32.exe
        
        C:\Windows\system32\Dlhdjh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Dcblgbfe.exe
        
        C:\Windows\system32\Dcblgbfe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Dhodpidl.exe
        
        C:\Windows\system32\Dhodpidl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Eoimlc32.exe
        
        C:\Windows\system32\Eoimlc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 140
        37⤵
        Program crash
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bemfjgdg.exe

Filesize
87KB

MD5
d22039704bb2214f9f23ddf394c1397b

SHA1
ea0efc326232599b30eb0562da8eaf9cefc4c302

SHA256
4ded9583f31f537cc67905034373228297d98ac295ab9ce743a03d55725f658d

SHA512
64789793ae83832bd531134ed63a2432404d11c7ec508ef295219accdf6e48aec94b3cc7e00b738ec27b7ab0bd462e2d5b6581acc995dff9c77b1371fc4533da

Download Submit
C:\Windows\SysWOW64\Bgmolb32.exe

Filesize
87KB

MD5
617daf7c588d26355dcc21d4da550211

SHA1
5ceb3d150c1d00aac610241591d2d4485acbb93c

SHA256
aaf699d3d38d7bc808cea69d2cca677ce0a1b6e09923c2ee608858a0a079b4f4

SHA512
50ad2279ed1cb3aae9d0e2b878548fbeee851c441271ac4d1cd07091dfc4f841d776f76c4e4f513e34b89734e96d41c90640c001aa43c91d9c1ed344e0c127fa

Download Submit
C:\Windows\SysWOW64\Blodefdg.exe

Filesize
87KB

MD5
bb6f8c6e503eaf6a3add95fbffbc89aa

SHA1
2f607524851ede7fccf5f8cc817ded63612214d7

SHA256
88809015dfb1178758ac730f10ac695695406cdd3f20e6d9d4d605eb1d611526

SHA512
3136073189e264b1e74630bf6db09d0f6e1f5538feb8e0343fe32b0888d4ba364a00fff53b9bf46ee54219927e6bc2a3f1384a5eba843f9b5051f63dfffd70ba

Download Submit
C:\Windows\SysWOW64\Bmldji32.exe

Filesize
87KB

MD5
09e98c520b889e00ac410bbfdb57e581

SHA1
6eed529d88b4668274a7aac7dc07aeb9344f5446

SHA256
ccb57d022990c2400666f93cbd57b5efb52e0c1803d2256c5177da04fade2077

SHA512
3c8ffe7490af82f823df1d288dc6af38d6e506b208a1ded727af2d427915dc17ecac89ff2c44b4a0191f570399b342623a918109512f51d9d80009e3abdc142f

Download Submit
C:\Windows\SysWOW64\Caepdk32.exe

Filesize
87KB

MD5
de8f3dbc2de1f6d696b720b884d6134e

SHA1
66ec9715810ac57def70e9e1a93e8529c06d6061

SHA256
589bc7f9e060ec4538ec977dd755105cb0de57343f8383fd9f987038f94d7b98

SHA512
b64eff9e8e6833f81d32988ed18c8d3ca686c29b8d9839b52109fca6ce60ea17d4d63a83d9142c3c82dacfb9c8c9946d217970242c1c22746b47797aec7580a1

Download Submit
C:\Windows\SysWOW64\Cdfief32.exe

Filesize
87KB

MD5
fe2a16dd0fac4b69eeb32e04e1a28326

SHA1
8e736db6c9b6c0ef6216a323b34de2e9feab8f51

SHA256
76f451ce845af3cd024e9ba4b75a47108383e0df5a6e9d8ccaf7e4efc8992220

SHA512
ab6b08ab052b8a983f2c3b1c81e69865351cfb187fecc2ba9ca48ffc1ab0602c8b95d87fb1628cba8537416a4cc76a816cdf209660300521d04bc9b0eb400da2

Download Submit
C:\Windows\SysWOW64\Ckndmaad.exe

Filesize
87KB

MD5
5e77f95dac4ff9e40ee062339aecc182

SHA1
378de6243f644cb0c897d15a79788dbe53188b9d

SHA256
eddf8574c6c54c4ab33e1392aa59b933218338136dd683b5168cff090250bd9c

SHA512
70d8202ffaead8af4746857f89a94a9b7ca7eb83d15d1f402234c336fff0c9190181b6a565757b1a6f55eb99ef7747836464b17e96d8e4f6ae087a37e88412d9

Download Submit
C:\Windows\SysWOW64\Cldnqe32.exe

Filesize
87KB

MD5
3be883ebef8f145c65f271069c0c6666

SHA1
a8b0c9d3213ebfbc477e78cb65f914c898327021

SHA256
494d05bfe63e8aaa3974634c7d5ef6dfcbc0b880058ec7f80d98aacb60081f34

SHA512
8bd9af739374c8958c0ea4411f2a3064e02ccf7842dcaf0e364d6dc6a9ea2d963ef938a5e91318a3c6186888bac4aacaddb8d7d355a9f908aa3c5f1337541ab5

Download Submit
C:\Windows\SysWOW64\Cligkdlm.exe

Filesize
87KB

MD5
1779d1839351b8ec372caf45cf6839f1

SHA1
bb9501bf6ac55585a51ad16c505b88d6f4aa8465

SHA256
fd4baead5422d2716422e79a0750cb58d21d8c004adc4ba7e2457e93e1a0f75e

SHA512
fdb5f451e20d0e1f4e7efc2a8495c79cd9710990c8b2ff6c2531f77d01425015b8a5ed44c9a5013157f831a4dfbb6cb934d3cc97e49e7cc595577b5f5041d866

Download Submit
C:\Windows\SysWOW64\Cmjdcm32.exe

Filesize
87KB

MD5
d07aec37ff307b1314b83291db141240

SHA1
bb3177039256d025f57c43fa957d9e2254b18ff4

SHA256
7f0170e26316094e3b3eadb3f4d4cd9446f3f2f909b15799c62b9d0179319846

SHA512
f3fcee0c3c64202a638ba79caf31593fbb68046b25ba66448192800a6926e6d85b3d1966196a427108a3190295596eeaaf291396c05c8ad9394415eed3214be7

Download Submit
C:\Windows\SysWOW64\Dajiok32.exe

Filesize
87KB

MD5
cd467ab510dd9ad9e004715e3bf2d1a3

SHA1
20aba9e179a20a86990e8d24f8e55fb89f0063c4

SHA256
1e253bfe302e52d9bda453134b1d14c17d4a70bdb2914fa6d37ff101b6350f36

SHA512
311a5eaefafd33f2e2b5075fb3992f5a7c2827716b827c87fce77811c229d4d294d0136f2c53451e5247bf89d4cbcdb89d257279b750bd4e0c868a9cb60fc34a

Download Submit
C:\Windows\SysWOW64\Dbkffc32.exe

Filesize
87KB

MD5
ddf6413f80ff9a597d4c55821634c237

SHA1
7d5bccc609135446a166698d30af8e8108771f47

SHA256
1c4c55385fae553611831fad6564951b4024743706f961b31c83f941da4e667d

SHA512
fc605ce788ac91e77873aecd6bbd22f40165482bc811f6d31b3f8bf8560b89b611bbf69ff9cb0490d668162f9aa3e03bfb504a7351eca18f873e658708b0d395

Download Submit
C:\Windows\SysWOW64\Dcblgbfe.exe

Filesize
87KB

MD5
b4f8c47e9bb4176956e41de69e280b33

SHA1
6d4a4b38da65b2ca444306d28bd563e845f4ec12

SHA256
582f361fe92cd3347eeff69b89cce6dc8de81cd7e4f29e1f62a412e0ffa7f3fd

SHA512
956eb52eab7d88450f2a1057b73b653a6b0710d8b39cae9425ebc8ffac8fecd0d704dd721266959d5fa98af7a04a919e25d9c9a6e7cdfafefca1d3af33de7e4f

Download Submit
C:\Windows\SysWOW64\Ddmofeam.exe

Filesize
87KB

MD5
4c386cf0e5e7b47862bfe8b277ca9c9e

SHA1
466a8dbd88119db292792838a147d4a85400b5ce

SHA256
3ced2480d2f8ad94584d4744ced11fb9124d8ba7d933b2659fb9877987c0fb86

SHA512
8bd451dafdfef103d44d6971de047b37095e88eec9f0778a2cb70b68957419d8499611045b600f7dad2ab3961dfe10a32ad4eefaa7969f8a6d00f6790de8a55b

Download Submit
C:\Windows\SysWOW64\Denknngk.exe

Filesize
87KB

MD5
0bbf079b8a6291d28b24995c1f234b64

SHA1
55ed9839faee478c270536255c103a079c08671b

SHA256
7d07b8f9a3583ef90bf595af7edd4b903b6805c54445e957dccc232697d6c2bb

SHA512
9b0fd15bb4cfb4cf18f745eef9160bec1706091919d67b2db1470790b78a5aafc90739c9750c5c97e4f72f88fd8086fc964fe12b8832b1e9ba3feca58d39e119

Download Submit
C:\Windows\SysWOW64\Dfdeab32.exe

Filesize
87KB

MD5
1b4e0bd659e57552c37a7e564d4a41d6

SHA1
3607fc2877e00e1537d7a44b0658ee0b69872218

SHA256
c1fa0a6eb46b7e9d4ae26a3636277fec37771b6521dab2f1bd27b7059e9b0f39

SHA512
297c9b5c3a026889b29aded223d070f4480f5130741ca2071fff525b64efe6ec8ef845205f9fcfd991c65d9e876060bd8fa9074b4f686bc94d13bb2e1e966ced

Download Submit
C:\Windows\SysWOW64\Dggbgadf.exe

Filesize
87KB

MD5
9f5b2ad24e4043d75c6aab8c526ba03d

SHA1
4141fcfc68e9620720889d773864396ca570ce88

SHA256
8c625ac5cd729ab1e46bc5b124facf0ec0d070247eab6ba010b41bdc724e5541

SHA512
8505e046c3dcb70771edbc4309469bbbead0c0c1519dc6ca13b1f7a52a34078b10650a5759f42ca1e2f4fd0b4e0be907e25a46da472c66bdceb81133b6d5601d

Download Submit
C:\Windows\SysWOW64\Dhodpidl.exe

Filesize
87KB

MD5
6e7e5cf5cca256378567a5cfb5b3738d

SHA1
370ea01079dda785dbdc4163885f631227e5a29f

SHA256
5d7292b55bbec909a32304bbc530a1fbb6a838fdc29d95dc74fb3ca41f3db052

SHA512
3bef63cf497ce3979d5f52a3248b1cf02ffe19dd3e165117ddfa31eb8180c02a44dd83dd7dd0863e458382c1287c258fa7008b6a8440491a82c35931f6a81442

Download Submit
C:\Windows\SysWOW64\Dkekmp32.exe

Filesize
87KB

MD5
f6a49099d7cbbed83baa7edd53f583c1

SHA1
cfd6a99c5574b5958b101f793fbd7e735c0ecd4f

SHA256
586fe19a8b672bd0c3f19ff485d788a46800be4640de44798c04c0692dfd40b6

SHA512
bdc907872aa58de9fc17672711708e279f1f9821050c3527ef76b0ab0f7e9ea445ac21af7e258c0c46466fd563d99adb226ddab4208d01f4abd9f1860c69b8ff

Download Submit
C:\Windows\SysWOW64\Dlhdjh32.exe

Filesize
87KB

MD5
d73181165736be18216bd6fe3771d14f

SHA1
eeef0b52d4a8336a149e1b2e466fbf0a7043fd4a

SHA256
20dfd6dbfd2c0e0bc4b641dca4bbd94cfe6cb8c6ab9d94f6a6277a4ea61d4ce2

SHA512
97f99f6cf8afcbb18d5939cb7253461c89992bbe0cad67831161ecf8ea16bfd1c99498a4e65bcdf270837da81ce78b4ab03cb70f4b23c457ecb710d07273fbe2

Download Submit
C:\Windows\SysWOW64\Dmajdl32.exe

Filesize
87KB

MD5
f168acd0bde5b25a62d751f907ff5244

SHA1
2fb634634418481fbfdfb69dd78b8ad0d14a1b10

SHA256
2adf15de1bd779e08e6dc99692900581ff4f8061f5f65e44428befde720963bb

SHA512
23e09e7054aefc0b034601a5c41d3d98a29f9cc9aa2fa7a99100401de4684168c0fb4dd62ca3fae653a5fe4984967bde102b34aac1b360b1d76832bb4a58b096

Download Submit
C:\Windows\SysWOW64\Dpaceg32.exe

Filesize
87KB

MD5
b30e28f72094b4639d66c6b01a80a257

SHA1
07bf0af053519c56f544c67d78fe0fea4b71bffc

SHA256
a09dea3f7f5b4769ef87a525118514d8a32d433acddc6af1acc7c46114d5d14a

SHA512
ca22dec233f7459372f71fa412b437ef932810bd5e9da383a57a7aed0f355c3cbaa260d3de7050e50d0ba5891f61116c64f235a70d6f41acc2ce696c6df94e48

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
87KB

MD5
44adc574d30259bdb78fb038ab14c54c

SHA1
a0b5ae3e96b5f35835fa97c66d4ff75b0dbdbad1

SHA256
46e07d16c4ba03b1b1875642801c68b4f3fb859f15646406505ff95e43441bd8

SHA512
15c9527e8a8a110926f6db0e91f00fb6109180e7a8f1f3de008a13389ff58efa1422103f95dfa153beada8ab4d0349c3cf9333b4cc1f74b74c4323b160b10d62

Download Submit
C:\Windows\SysWOW64\Eoimlc32.exe

Filesize
87KB

MD5
35a0d51692ad0b6470717521368579dd

SHA1
e1f3c3df53abbaf49e0086da32435f2d1f344a17

SHA256
52b251ee1b2258d52baafbf2d4a0cde51de8072c53eb5a17800efe2756fdc24b

SHA512
2c998d9f031e199870da91d3f62c6832fd1840394173adaa2566607cfd82b615a46ba9579762cf00c9c199af897e7ea76036be5f92a8a134e45e4c75a0871cd1

Download Submit
C:\Windows\SysWOW64\Lgcpif32.dll

Filesize
7KB

MD5
55f8856f951ce00e0e417f017ad1d482

SHA1
5497b28a72e95a77d2770f307d6aec332bcdffa3

SHA256
e79d084beb007142f07f66b931e65311cb8ffe91ca02cff3b87cbbf768a2f9c0

SHA512
2070b887f44ab9378d32d6c3f57642bd88c359e0fc8193185d7a99cdd48fcf1c1c9f2288a64190e8386ff2c92a3bcecda739da39eee20f425f656bcbbb395677

Download Submit
\Windows\SysWOW64\Bcdpacgl.exe

Filesize
87KB

MD5
b194e8d3a9318e1cdba9df304f89cd15

SHA1
09fcf5c78ef42c03067b5a62fee8d9dfb26ed1cd

SHA256
ebcc6d2bda61a43d1828e36b8304764367a8b3131c4743fe4e2da36961c34efb

SHA512
64feab402d2bd22d1961c42726b49340df30a83d5f1c0b001c075c46bd1f37e55c223052bddbb1d87d39d9f02aef38dad79fe169b21f52f51f191dacde22e923

Download Submit
\Windows\SysWOW64\Bcoffd32.exe

Filesize
87KB

MD5
9b5acc28e4e6ebed5adee3900ceda7e1

SHA1
09afcad8ae57b87eec9c5e6f3cab27ac2ed2481d

SHA256
b2f05ec2504aa900132344deb9bcfb0b92201d3f32e657f6eb757b7eb8c09e0d

SHA512
d4786a6dedc7e07f6846aa70e758268110d8522995e92fce6a10be9d1d75a9ad25deea3a44a3da654672afa6394406e4f65a19204ab78290d97da0eeba63cc6e

Download Submit
\Windows\SysWOW64\Behinlkh.exe

Filesize
87KB

MD5
0f7855f95476fb77dd28c2795f06341f

SHA1
700434fcc9b38c6ca58a4d4ea089d24423b8f820

SHA256
5888c9fca9e1b6c00a309373a54ea7f7d39630566b1e049b1d7856d94c8b4225

SHA512
fd49c1adb8c1af1977f4224a6347d178a4ad2329e5ac8b12601d2c82cd9404562f553b843c549e41b24a4f8b7f2867dcf392c9d248bc565a7b0938cd6df7b971

Download Submit
\Windows\SysWOW64\Bmhkojab.exe

Filesize
87KB

MD5
0b6ae798e61c23c45c2501ac6009bd66

SHA1
9dd03e47c14cbd413126d406af3f55c74ed56b18

SHA256
3115fd34a593c555dc8946ee56cc55ad0e9e5e9a26b6d7f8604dedb793faded4

SHA512
f823d5449d35bf63fdd10f9556058bef09ec06476a7391ca27c258e6a11a713a56364f86ce44289a19c195eaf69b93230ebef162c7e1fc4c928ce50b830cbcc5

Download Submit
\Windows\SysWOW64\Bmjhdi32.exe

Filesize
87KB

MD5
5c4c45b707f49e704741fe6465acc5a8

SHA1
66b4a4956af3b9c31a5f50483fa52f9fc1244b73

SHA256
3ca750c6d983143e9c91e47119fa6db164dce530095b15a6e65d92a2803c9352

SHA512
81f52038fe1128b414b3b6351d04c939a459d648e38ed924e82ed5b21783e0ddb3327e13d743a05d1d33c0eb28257a79d21dfcd5343ded9db9beeea7cd2787e8

Download Submit
\Windows\SysWOW64\Caqfiloi.exe

Filesize
87KB

MD5
535a3a26b292367dd077df47f7ad7fc9

SHA1
b6d087e3175f4f0bc8aa7e94f7ee89837c9f5407

SHA256
36b2a00f46dc714f7c5f5c977336114cd381929317cef48c55259ba2ff4ace55

SHA512
2e321775563991277d6d3d00830b0014dd6ab086a3617f685263f546e402899cda370a3a61ce23159e9bb610549dfb46e5435272ddc29bb80099acee6c223ad0

Download Submit
\Windows\SysWOW64\Cbpcbo32.exe

Filesize
87KB

MD5
3e222a3e10b79ccf4f523f55f47fd050

SHA1
07ad5a0da0464684801f713806ef0227ec368b36

SHA256
ff0cf969080ccf98ef7f4b6c77644827e0dd96bd3e876922906b07449eb8e8b3

SHA512
75057d2986af7f5492db62964c26404df933bafd26cd822b527d8e484f7a3071f2522b6f1468df345dc5bb4e776dee4753fa43cdab5abf1ef92b34b3a79cb367

Download Submit
\Windows\SysWOW64\Cejfckie.exe

Filesize
87KB

MD5
fada9eb89dcf3009daf3d115257ee853

SHA1
1f5e4962d277533775a16c4f4d44a5d3f78388e2

SHA256
20eb26e8b211e420f692303460d8051678670e621f5a45149ce4441e90256c97

SHA512
ad913a83f31c47a1ec4587d06f71ea53294c271efc3a3edec4390999196a309066d0253f86c81d71b32f0075c845a57a786ea6f16144f4f6540aa9d1ff75695f

Download Submit
\Windows\SysWOW64\Ceoooj32.exe

Filesize
87KB

MD5
88676a0bcbb6cf98775dd46f981182c8

SHA1
e1a885f287aef8f6bae6f1be073711eb2948102f

SHA256
6f3710e8348378215705eb63086ac548aa6e7a369745d863ae5b890c6f1e26d2

SHA512
f0f22e36063cd99abe0d7dc6e24b745f644bc76598d9ac112abd75387e9d61c05e18222c946f85e798a70ac96d52579116c1204858624bdffb14a33fb1619177

Download Submit
\Windows\SysWOW64\Cihojiok.exe

Filesize
87KB

MD5
a79ad0436a6b7380bfa5784e9f001431

SHA1
3698f08418f39afe6e484981a91ec0ed4a245243

SHA256
9cf97d8954651a73df66304b063da2cd638eb440b972718f50603ee5e86e66a9

SHA512
635c893617c9577e8d2d2dc14607058e884bf4e8a0030c311a0c4bd3befccb8d7e193d3af059bea6c1f73c3a6eb07810789090858ecf6ffd6ccec2bba76c5791

Download Submit
\Windows\SysWOW64\Cpmmkdkn.exe

Filesize
87KB

MD5
652254abe2f09367a5e13862dc819d8a

SHA1
b6288011afe8d523378516a348a927cf415861c2

SHA256
07b36f807bb53079d8f691655647f1171a98e2a1aa9d0a601c2cea6a3b378baa

SHA512
71bef11a268fe7471d973aff624b4bcaedfe942829ec732645a41df68275a660200b096ef3eaf3cd6e83d15d33701584478962c75731e2f4d053acd1372b3e7b

Download Submit
memory/276-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/276-286-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/404-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-25-0x0000000001F80000-0x0000000001FC0000-memory.dmp

Filesize
256KB

Download
memory/588-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/588-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-373-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/868-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-333-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/868-328-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1112-63-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1112-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-344-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1180-310-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1212-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-197-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1316-144-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1316-143-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1316-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-195-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1604-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-396-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1604-401-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1732-12-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1732-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-7-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1732-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-123-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1796-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-274-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1848-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-279-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1848-311-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1864-297-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1864-342-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1864-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-378-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2020-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-159-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2044-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-152-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2064-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-412-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2104-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-214-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2104-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-173-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2132-111-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2344-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-273-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2388-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-243-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2388-247-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2468-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-257-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2472-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-122-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2564-82-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2564-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-81-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2664-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-414-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2664-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-419-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2672-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-95-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2672-98-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2700-366-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2700-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-35-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2756-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-351-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2808-356-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2808-389-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2808-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-174-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/3028-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads