c133627323a5193afac054dcf2593d4400cbb21ed8b67f18cc048e6606896c90

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d69ca4233e8c49eac841d55cc2b5e499.exe
Size

148KB
MD5

d69ca4233e8c49eac841d55cc2b5e499
SHA1

9504be98021b1cb1f87589eff97ad55f58986456
SHA256

c133627323a5193afac054dcf2593d4400cbb21ed8b67f18cc048e6606896c90
SHA512

fea7f1693c035e4ebd1e1412d7d405d37d659b47e3b7ce6313947bceccad38f8d3052dd19437e59fd9c84f7663a7856c6f98b7398a695511aee2809783e72c4e
SSDEEP

3072:UYGO+ZvtgyD9Y5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:UYGdZlgyD9KOdzOdkOdezOd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d69ca4233e8c49eac841d55cc2b5e499.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d69ca4233e8c49eac841d55cc2b5e499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe

Executes dropped EXE 28 IoCs

pid	Process
1348	Amddjegd.exe
2036	Aeklkchg.exe
1832	Aeniabfd.exe
4752	Agoabn32.exe
1764	Bjmnoi32.exe
4624	Bfdodjhm.exe
2664	Baicac32.exe
2852	Bgcknmop.exe
2044	Balpgb32.exe
3080	Bgehcmmm.exe
2720	Bjfaeh32.exe
4164	Chjaol32.exe
4384	Cndikf32.exe
4524	Caebma32.exe
1756	Cfbkeh32.exe
2012	Cdfkolkf.exe
4528	Cajlhqjp.exe
1960	Chcddk32.exe
3308	Ddjejl32.exe
2348	Dfiafg32.exe
1420	Danecp32.exe
1688	Dhhnpjmh.exe
4004	Dobfld32.exe
3640	Dkifae32.exe
2988	Deokon32.exe
1036	Dogogcpo.exe
736	Dgbdlf32.exe
4916	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	d69ca4233e8c49eac841d55cc2b5e499.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	d69ca4233e8c49eac841d55cc2b5e499.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	4916	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d69ca4233e8c49eac841d55cc2b5e499.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d69ca4233e8c49eac841d55cc2b5e499.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d69ca4233e8c49eac841d55cc2b5e499.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 1348	4264	d69ca4233e8c49eac841d55cc2b5e499.exe	84
PID 4264 wrote to memory of 1348	4264	d69ca4233e8c49eac841d55cc2b5e499.exe	84
PID 4264 wrote to memory of 1348	4264	d69ca4233e8c49eac841d55cc2b5e499.exe	84
PID 1348 wrote to memory of 2036	1348	Amddjegd.exe	85
PID 1348 wrote to memory of 2036	1348	Amddjegd.exe	85
PID 1348 wrote to memory of 2036	1348	Amddjegd.exe	85
PID 2036 wrote to memory of 1832	2036	Aeklkchg.exe	86
PID 2036 wrote to memory of 1832	2036	Aeklkchg.exe	86
PID 2036 wrote to memory of 1832	2036	Aeklkchg.exe	86
PID 1832 wrote to memory of 4752	1832	Aeniabfd.exe	88
PID 1832 wrote to memory of 4752	1832	Aeniabfd.exe	88
PID 1832 wrote to memory of 4752	1832	Aeniabfd.exe	88
PID 4752 wrote to memory of 1764	4752	Agoabn32.exe	89
PID 4752 wrote to memory of 1764	4752	Agoabn32.exe	89
PID 4752 wrote to memory of 1764	4752	Agoabn32.exe	89
PID 1764 wrote to memory of 4624	1764	Bjmnoi32.exe	90
PID 1764 wrote to memory of 4624	1764	Bjmnoi32.exe	90
PID 1764 wrote to memory of 4624	1764	Bjmnoi32.exe	90
PID 4624 wrote to memory of 2664	4624	Bfdodjhm.exe	91
PID 4624 wrote to memory of 2664	4624	Bfdodjhm.exe	91
PID 4624 wrote to memory of 2664	4624	Bfdodjhm.exe	91
PID 2664 wrote to memory of 2852	2664	Baicac32.exe	92
PID 2664 wrote to memory of 2852	2664	Baicac32.exe	92
PID 2664 wrote to memory of 2852	2664	Baicac32.exe	92
PID 2852 wrote to memory of 2044	2852	Bgcknmop.exe	93
PID 2852 wrote to memory of 2044	2852	Bgcknmop.exe	93
PID 2852 wrote to memory of 2044	2852	Bgcknmop.exe	93
PID 2044 wrote to memory of 3080	2044	Balpgb32.exe	94
PID 2044 wrote to memory of 3080	2044	Balpgb32.exe	94
PID 2044 wrote to memory of 3080	2044	Balpgb32.exe	94
PID 3080 wrote to memory of 2720	3080	Bgehcmmm.exe	95
PID 3080 wrote to memory of 2720	3080	Bgehcmmm.exe	95
PID 3080 wrote to memory of 2720	3080	Bgehcmmm.exe	95
PID 2720 wrote to memory of 4164	2720	Bjfaeh32.exe	97
PID 2720 wrote to memory of 4164	2720	Bjfaeh32.exe	97
PID 2720 wrote to memory of 4164	2720	Bjfaeh32.exe	97
PID 4164 wrote to memory of 4384	4164	Chjaol32.exe	98
PID 4164 wrote to memory of 4384	4164	Chjaol32.exe	98
PID 4164 wrote to memory of 4384	4164	Chjaol32.exe	98
PID 4384 wrote to memory of 4524	4384	Cndikf32.exe	99
PID 4384 wrote to memory of 4524	4384	Cndikf32.exe	99
PID 4384 wrote to memory of 4524	4384	Cndikf32.exe	99
PID 4524 wrote to memory of 1756	4524	Caebma32.exe	100
PID 4524 wrote to memory of 1756	4524	Caebma32.exe	100
PID 4524 wrote to memory of 1756	4524	Caebma32.exe	100
PID 1756 wrote to memory of 2012	1756	Cfbkeh32.exe	101
PID 1756 wrote to memory of 2012	1756	Cfbkeh32.exe	101
PID 1756 wrote to memory of 2012	1756	Cfbkeh32.exe	101
PID 2012 wrote to memory of 4528	2012	Cdfkolkf.exe	102
PID 2012 wrote to memory of 4528	2012	Cdfkolkf.exe	102
PID 2012 wrote to memory of 4528	2012	Cdfkolkf.exe	102
PID 4528 wrote to memory of 1960	4528	Cajlhqjp.exe	103
PID 4528 wrote to memory of 1960	4528	Cajlhqjp.exe	103
PID 4528 wrote to memory of 1960	4528	Cajlhqjp.exe	103
PID 1960 wrote to memory of 3308	1960	Chcddk32.exe	104
PID 1960 wrote to memory of 3308	1960	Chcddk32.exe	104
PID 1960 wrote to memory of 3308	1960	Chcddk32.exe	104
PID 3308 wrote to memory of 2348	3308	Ddjejl32.exe	105
PID 3308 wrote to memory of 2348	3308	Ddjejl32.exe	105
PID 3308 wrote to memory of 2348	3308	Ddjejl32.exe	105
PID 2348 wrote to memory of 1420	2348	Dfiafg32.exe	107
PID 2348 wrote to memory of 1420	2348	Dfiafg32.exe	107
PID 2348 wrote to memory of 1420	2348	Dfiafg32.exe	107
PID 1420 wrote to memory of 1688	1420	Danecp32.exe	106

C:\Users\Admin\AppData\Local\Temp\d69ca4233e8c49eac841d55cc2b5e499.exe
"C:\Users\Admin\AppData\Local\Temp\d69ca4233e8c49eac841d55cc2b5e499.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\Amddjegd.exe
  C:\Windows\system32\Amddjegd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\Aeklkchg.exe
    C:\Windows\system32\Aeklkchg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\Aeniabfd.exe
      C:\Windows\system32\Aeniabfd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420

C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1688
- C:\Windows\SysWOW64\Dobfld32.exe
  C:\Windows\system32\Dobfld32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4004
- - C:\Windows\SysWOW64\Dkifae32.exe
    C:\Windows\system32\Dkifae32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:3640
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:2988
    - - C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
      - C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 396
        8⤵
        Program crash
        
        PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4916 -ip 4916
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
148KB

MD5
a125a3b7e02835a07f4c7242402e0814

SHA1
c3e1e1eb53ca17296c9eb72f9a54d0b02b0103c5

SHA256
6bdb7d463de78dc3055b4df080317bebf54a60f32e9b1651cb89c35c073daaf1

SHA512
7f38b3136476abf26ef4d93572c67b623953454d9e05a2dbc7ef633eb74ce67815e3ad9ac1da0f49b721d433a45daedc55b3941786e78500004dad20c81d7302

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
148KB

MD5
a125a3b7e02835a07f4c7242402e0814

SHA1
c3e1e1eb53ca17296c9eb72f9a54d0b02b0103c5

SHA256
6bdb7d463de78dc3055b4df080317bebf54a60f32e9b1651cb89c35c073daaf1

SHA512
7f38b3136476abf26ef4d93572c67b623953454d9e05a2dbc7ef633eb74ce67815e3ad9ac1da0f49b721d433a45daedc55b3941786e78500004dad20c81d7302

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
148KB

MD5
e933aecef5c973555beb28c28e037690

SHA1
914d8fcaa639802b3cadf221858ee21363c34322

SHA256
7e193c54ff43b98416146181d8580d07858aa068089db37df3be8f8f1ca893ee

SHA512
ba4f482b990b11bb0824fa0789122913650cf3be2d4f201f1a03703efb85f9d06601fc59611e7c6cf5adbe3a6174f46868625cf4738fba1168bca868006725fc

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
148KB

MD5
e933aecef5c973555beb28c28e037690

SHA1
914d8fcaa639802b3cadf221858ee21363c34322

SHA256
7e193c54ff43b98416146181d8580d07858aa068089db37df3be8f8f1ca893ee

SHA512
ba4f482b990b11bb0824fa0789122913650cf3be2d4f201f1a03703efb85f9d06601fc59611e7c6cf5adbe3a6174f46868625cf4738fba1168bca868006725fc

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
148KB

MD5
1147eae6aca8c3664de8898983ad3bb0

SHA1
dee4dc7c1fa02f6d2af1bf0fc7b730dd25ff6902

SHA256
60c67ca8479bba95ee09944136a50ccef68f9c9ec123d2b2c6cfb8c83a0a5f02

SHA512
3f56d3378c811bf95f114d16c413448c2e8b1fbe9bf5e3830e294ddfd559b89942e24f7061444a295c775ef957545ff3e8d0f5f545dc8a2cd419bf14f38155c6

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
148KB

MD5
1147eae6aca8c3664de8898983ad3bb0

SHA1
dee4dc7c1fa02f6d2af1bf0fc7b730dd25ff6902

SHA256
60c67ca8479bba95ee09944136a50ccef68f9c9ec123d2b2c6cfb8c83a0a5f02

SHA512
3f56d3378c811bf95f114d16c413448c2e8b1fbe9bf5e3830e294ddfd559b89942e24f7061444a295c775ef957545ff3e8d0f5f545dc8a2cd419bf14f38155c6

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
148KB

MD5
8ab0efdb3d337f790f11e838553ada37

SHA1
d837a8d48999407528ee330f140f4500997741f4

SHA256
b5bf1d5ed60f780cfb623bfd91e3b243ae5937fc40764dd94a2acb40b54bb556

SHA512
35d3ae344d7cfcfe33376fa755f990ca1060153a5265964d9387855fb104d19d6314b2bb66882d68b88bc948aeda08ccee06c5bd4eb904616653b2bc30477617

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
148KB

MD5
8ab0efdb3d337f790f11e838553ada37

SHA1
d837a8d48999407528ee330f140f4500997741f4

SHA256
b5bf1d5ed60f780cfb623bfd91e3b243ae5937fc40764dd94a2acb40b54bb556

SHA512
35d3ae344d7cfcfe33376fa755f990ca1060153a5265964d9387855fb104d19d6314b2bb66882d68b88bc948aeda08ccee06c5bd4eb904616653b2bc30477617

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
148KB

MD5
b874830facc3605b410f0db0566d7337

SHA1
812bf565392ff19c86cad6af9210b037e01eeda2

SHA256
968427838a956bef635b57f8ea7295b184b303458c6af44d97ab0c32cb6f4365

SHA512
7b7aa381d9565780b6e5c8be033c44c0d67e37a8700b401c1f253154b3adbd81556e9f6f9f8abb61ca4e2f5d7782477c2f32b43eaa747a4bbbdadf61014e19e0

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
148KB

MD5
b874830facc3605b410f0db0566d7337

SHA1
812bf565392ff19c86cad6af9210b037e01eeda2

SHA256
968427838a956bef635b57f8ea7295b184b303458c6af44d97ab0c32cb6f4365

SHA512
7b7aa381d9565780b6e5c8be033c44c0d67e37a8700b401c1f253154b3adbd81556e9f6f9f8abb61ca4e2f5d7782477c2f32b43eaa747a4bbbdadf61014e19e0

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
148KB

MD5
49ced9949906e2fb375834299d4dda65

SHA1
1a9b7b4cd48d23b641145e2a37c476778584a1c3

SHA256
622e301201d7dc48551a30cc84620a68c1dc65610e25cb3d9c2de3614205f1fd

SHA512
465358f1f80922fcf4ef01e11414c82cef435c6120ca0b4f86d7a96b89aec70085b55fa8993266a1341985a3ce87b266d1442e4ad914dce7851aa99ffc5d3c6f

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
148KB

MD5
49ced9949906e2fb375834299d4dda65

SHA1
1a9b7b4cd48d23b641145e2a37c476778584a1c3

SHA256
622e301201d7dc48551a30cc84620a68c1dc65610e25cb3d9c2de3614205f1fd

SHA512
465358f1f80922fcf4ef01e11414c82cef435c6120ca0b4f86d7a96b89aec70085b55fa8993266a1341985a3ce87b266d1442e4ad914dce7851aa99ffc5d3c6f

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
148KB

MD5
6ad2b69e907b1b6184a5136130cf9ab1

SHA1
a3cf8d3d1f6e3421051e2d47d27a58590581ca11

SHA256
54bab93b2fa0cf30c76d15a2662261494e7acdd9a104f396b01533a6d029f607

SHA512
409b521f687fa8857619fb3e7cc02a1d4cef217261bcfcae89659bb30a98d31dd258efe77500187a9f87f6f20f5122f16d9168a1f6716cc572cec178b106ecb4

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
148KB

MD5
6ad2b69e907b1b6184a5136130cf9ab1

SHA1
a3cf8d3d1f6e3421051e2d47d27a58590581ca11

SHA256
54bab93b2fa0cf30c76d15a2662261494e7acdd9a104f396b01533a6d029f607

SHA512
409b521f687fa8857619fb3e7cc02a1d4cef217261bcfcae89659bb30a98d31dd258efe77500187a9f87f6f20f5122f16d9168a1f6716cc572cec178b106ecb4

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
148KB

MD5
1ea2f4c29c1b21a81d38421f37bd9180

SHA1
d346888d756a5226bd6e9a2cfb0b52ec6b4d9f47

SHA256
837a90f199f3dd396bb3a551b82320767bce0fd8c5f2222e862313af7e612ccb

SHA512
e1ffba7d31a544bfce56d37a0603304d65de464db8e6468136d74ed9332c26a61c0eb0eedebf3993ceeb58da11976f4db83a9a283ff76b5fa31fd445fa632b62

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
148KB

MD5
1ea2f4c29c1b21a81d38421f37bd9180

SHA1
d346888d756a5226bd6e9a2cfb0b52ec6b4d9f47

SHA256
837a90f199f3dd396bb3a551b82320767bce0fd8c5f2222e862313af7e612ccb

SHA512
e1ffba7d31a544bfce56d37a0603304d65de464db8e6468136d74ed9332c26a61c0eb0eedebf3993ceeb58da11976f4db83a9a283ff76b5fa31fd445fa632b62

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
148KB

MD5
05b035e9c844d7251ec57099210d7312

SHA1
bcc1dd42b2c7859e5c6e9542a0cf2892de6bfd81

SHA256
d64448ab2c966bd7850155f8e6a1306bc68a5268e6db80b5e320dd4deef60dc6

SHA512
94ff2b6f322d45cba63c0839d121b6f9c719b27ffeb22ca9c55b6d0d092d3e0e005263859faf5e71efa923edd703f4d7d85de6a05089a0483a3ae82ae2c278ba

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
148KB

MD5
05b035e9c844d7251ec57099210d7312

SHA1
bcc1dd42b2c7859e5c6e9542a0cf2892de6bfd81

SHA256
d64448ab2c966bd7850155f8e6a1306bc68a5268e6db80b5e320dd4deef60dc6

SHA512
94ff2b6f322d45cba63c0839d121b6f9c719b27ffeb22ca9c55b6d0d092d3e0e005263859faf5e71efa923edd703f4d7d85de6a05089a0483a3ae82ae2c278ba

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
148KB

MD5
9bc6d3e2d15026c010b1ada3f0f9b4cf

SHA1
2dcc9f0592edb1456b0e0a7c78c60926d9dafd66

SHA256
71f9deca8abe1a21b38ea1e49834e0d539f9f7bee44183cf2679193db708db35

SHA512
94f115985f3b3ba88677d9d66bc6d04160ef78d9be104aae4a6ec98464520a9f3eddbdfaf5356ee0973a2fb4cd5c5dfe8d23329a9ba0127f53725492d61f59ea

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
148KB

MD5
9bc6d3e2d15026c010b1ada3f0f9b4cf

SHA1
2dcc9f0592edb1456b0e0a7c78c60926d9dafd66

SHA256
71f9deca8abe1a21b38ea1e49834e0d539f9f7bee44183cf2679193db708db35

SHA512
94f115985f3b3ba88677d9d66bc6d04160ef78d9be104aae4a6ec98464520a9f3eddbdfaf5356ee0973a2fb4cd5c5dfe8d23329a9ba0127f53725492d61f59ea

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
148KB

MD5
51815b1208aba12e3c9cbada7369390d

SHA1
250f74e4c32e0c52901dd8b6ba0435976acb79d6

SHA256
eb6229acd7f10772f3ca960b3a7b709e84f82c8f1075e4c5ed6801e839f0196d

SHA512
98bbbea7639d357b66d540d1d322007e8709d0dd8ae2d3b37bb60417137529ab310171efaffc86c605088d20e60a8fc28b83490060c0a73015389d238bc32cc0

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
148KB

MD5
51815b1208aba12e3c9cbada7369390d

SHA1
250f74e4c32e0c52901dd8b6ba0435976acb79d6

SHA256
eb6229acd7f10772f3ca960b3a7b709e84f82c8f1075e4c5ed6801e839f0196d

SHA512
98bbbea7639d357b66d540d1d322007e8709d0dd8ae2d3b37bb60417137529ab310171efaffc86c605088d20e60a8fc28b83490060c0a73015389d238bc32cc0

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
148KB

MD5
f61119cb65cbbc4daf8c0c314c170e02

SHA1
d79f9f54f3bd84af77c76b478a5f99f95395c327

SHA256
e36668ac04d64570d69241c1765854fc3197377414cab003d8b4e184ee588baf

SHA512
393c2ef8934597d176e904bda572c7745288800f0a6a16adf295bdc1e8cbe3f138761a73c3d809bcd6910c307025dda8e3def98296f0d63883e39f40f8e3083b

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
148KB

MD5
f61119cb65cbbc4daf8c0c314c170e02

SHA1
d79f9f54f3bd84af77c76b478a5f99f95395c327

SHA256
e36668ac04d64570d69241c1765854fc3197377414cab003d8b4e184ee588baf

SHA512
393c2ef8934597d176e904bda572c7745288800f0a6a16adf295bdc1e8cbe3f138761a73c3d809bcd6910c307025dda8e3def98296f0d63883e39f40f8e3083b

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
148KB

MD5
3ecf27625d99f2dc791a24581ca8318b

SHA1
1d93b783fa7bb9e9a38b5c048135e478cc421895

SHA256
9fd75b68edc36787ca5d124f9658b75b6fc2170df0c52d98927fe56118acfaf4

SHA512
0c40d6aa6ab8039bbfd536ff51854c60edcb83aebb1fb645d84f6524f88b010b1627168dd7a8cf8db70ed8f4fcfa59aedce9ffb2c6aa2109d2cd5ad2c43fdc76

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
148KB

MD5
3ecf27625d99f2dc791a24581ca8318b

SHA1
1d93b783fa7bb9e9a38b5c048135e478cc421895

SHA256
9fd75b68edc36787ca5d124f9658b75b6fc2170df0c52d98927fe56118acfaf4

SHA512
0c40d6aa6ab8039bbfd536ff51854c60edcb83aebb1fb645d84f6524f88b010b1627168dd7a8cf8db70ed8f4fcfa59aedce9ffb2c6aa2109d2cd5ad2c43fdc76

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
148KB

MD5
3ecf27625d99f2dc791a24581ca8318b

SHA1
1d93b783fa7bb9e9a38b5c048135e478cc421895

SHA256
9fd75b68edc36787ca5d124f9658b75b6fc2170df0c52d98927fe56118acfaf4

SHA512
0c40d6aa6ab8039bbfd536ff51854c60edcb83aebb1fb645d84f6524f88b010b1627168dd7a8cf8db70ed8f4fcfa59aedce9ffb2c6aa2109d2cd5ad2c43fdc76

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
148KB

MD5
bde0269e5db92a8d46db75d371ae5576

SHA1
c2006608676a434bee0a912b2911f9fe7a130d60

SHA256
27849093c294d0f70db2f318e1c1a42d720d8510fc4a56948f7f11c71116a6f1

SHA512
a305df38fb4d61ed4dcb9a510de63e872e428c04165c920ff84e2eb1feb578847b5faaebe9fb805e4951196f1465a7b5cc27a27bea2f1b41385605950db2d618

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
148KB

MD5
bde0269e5db92a8d46db75d371ae5576

SHA1
c2006608676a434bee0a912b2911f9fe7a130d60

SHA256
27849093c294d0f70db2f318e1c1a42d720d8510fc4a56948f7f11c71116a6f1

SHA512
a305df38fb4d61ed4dcb9a510de63e872e428c04165c920ff84e2eb1feb578847b5faaebe9fb805e4951196f1465a7b5cc27a27bea2f1b41385605950db2d618

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
148KB

MD5
8a76923a44ddeb23622ffb42f2f5ff11

SHA1
4c5ee3945c1b41afc1be8a7aab28db548926bc20

SHA256
4b992671f840d6b53db06d079dab6d616cdb0d3353c93b68fd3ae92c5aad443c

SHA512
7ecc89b61964a4bb5d442b5d422cc6097f4d87202f1c10af812a154b5567522a11b759c9ba168052fdc6ab4a40b1f5a9f6d3eaad17a3f6cf22591079f2dd336b

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
148KB

MD5
8a76923a44ddeb23622ffb42f2f5ff11

SHA1
4c5ee3945c1b41afc1be8a7aab28db548926bc20

SHA256
4b992671f840d6b53db06d079dab6d616cdb0d3353c93b68fd3ae92c5aad443c

SHA512
7ecc89b61964a4bb5d442b5d422cc6097f4d87202f1c10af812a154b5567522a11b759c9ba168052fdc6ab4a40b1f5a9f6d3eaad17a3f6cf22591079f2dd336b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
148KB

MD5
3a687dbea34c230398d6580ed8218f8f

SHA1
ca28826304ae9736afc4b1485dcc268b3251900d

SHA256
7205125e9d5dac69fd3e6164cc05363de33f97d770c8f5d91c0eb68585d82e7a

SHA512
c6520663db3ee2e42804502c8f7a2ff2d3aa5cf4231053c2df992d7d54c819fbf6ff764c0adcbfb6f748fa0a245a1a876ca8397994422bf1b8eedaf0a05fc5f7

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
148KB

MD5
3a687dbea34c230398d6580ed8218f8f

SHA1
ca28826304ae9736afc4b1485dcc268b3251900d

SHA256
7205125e9d5dac69fd3e6164cc05363de33f97d770c8f5d91c0eb68585d82e7a

SHA512
c6520663db3ee2e42804502c8f7a2ff2d3aa5cf4231053c2df992d7d54c819fbf6ff764c0adcbfb6f748fa0a245a1a876ca8397994422bf1b8eedaf0a05fc5f7

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
148KB

MD5
2b3d4bfaab148c5d5a806dfb9f1c62ee

SHA1
15de5b337300659946897a1c0cce24d941903edd

SHA256
6b2c07b0df822b7034d4f137cb0a27e1114686138fb983806d40825ea19a35aa

SHA512
39fdc2646a08c7663a0eac4d6ee62b991adeb2cc6047fb307e3011b11dd5df283c8f6a9fe58352aa124750f8a6a43086829b51839d835017a8aee3448d504c70

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
148KB

MD5
2b3d4bfaab148c5d5a806dfb9f1c62ee

SHA1
15de5b337300659946897a1c0cce24d941903edd

SHA256
6b2c07b0df822b7034d4f137cb0a27e1114686138fb983806d40825ea19a35aa

SHA512
39fdc2646a08c7663a0eac4d6ee62b991adeb2cc6047fb307e3011b11dd5df283c8f6a9fe58352aa124750f8a6a43086829b51839d835017a8aee3448d504c70

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
148KB

MD5
66f80a9d3504cbed1089f8d9dc89a28c

SHA1
8032c55695449fc553c98366991ad1ea62ef54f5

SHA256
f4576ab64b1e96fec80633c94f06e0fdd08ceffd256741820764d8370ebea968

SHA512
450207a0ffe96ce96718998667f1338da2af6927d4ab5e9d59c7de71c3445b3fa4dc3f944591d127dd34d8e1c6e6a40d19be088781a4d94d23e6d1c7866a9754

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
148KB

MD5
66f80a9d3504cbed1089f8d9dc89a28c

SHA1
8032c55695449fc553c98366991ad1ea62ef54f5

SHA256
f4576ab64b1e96fec80633c94f06e0fdd08ceffd256741820764d8370ebea968

SHA512
450207a0ffe96ce96718998667f1338da2af6927d4ab5e9d59c7de71c3445b3fa4dc3f944591d127dd34d8e1c6e6a40d19be088781a4d94d23e6d1c7866a9754

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
148KB

MD5
2a2cb01afcda2bef62e651fee7af563f

SHA1
432d8a70a521da9bbaa476d743cd70caa79b426e

SHA256
81cc0b8f05e62b215df25121c114b1600822d77cab76a6d2c47986255ddb5970

SHA512
d39c4b827af67e52ba44278af4342a640b0ddf577211e652939847c28edc291ed436c1781bbb6936f7c94f55d71acb9a74f325017d70aaf3e6884b311d1e50e6

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
148KB

MD5
2a2cb01afcda2bef62e651fee7af563f

SHA1
432d8a70a521da9bbaa476d743cd70caa79b426e

SHA256
81cc0b8f05e62b215df25121c114b1600822d77cab76a6d2c47986255ddb5970

SHA512
d39c4b827af67e52ba44278af4342a640b0ddf577211e652939847c28edc291ed436c1781bbb6936f7c94f55d71acb9a74f325017d70aaf3e6884b311d1e50e6

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
148KB

MD5
df163cda14633a1332abefac16c9d2ff

SHA1
1426b53212113b10c617e2ec4eb0a478d9046c6b

SHA256
afb5cb8411e27c9f9f9a9a30821cb2bf437b628f3257e9ef161db7c357f23503

SHA512
754024484f75654d5e0a94ff087a7cd69267a0d0db45e82fa0126e0155b685172daef8cc2e7817839c7cfd3cd7864184a7352af8098b745f87047a6ee3fe5b8d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
148KB

MD5
df163cda14633a1332abefac16c9d2ff

SHA1
1426b53212113b10c617e2ec4eb0a478d9046c6b

SHA256
afb5cb8411e27c9f9f9a9a30821cb2bf437b628f3257e9ef161db7c357f23503

SHA512
754024484f75654d5e0a94ff087a7cd69267a0d0db45e82fa0126e0155b685172daef8cc2e7817839c7cfd3cd7864184a7352af8098b745f87047a6ee3fe5b8d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
148KB

MD5
c0cd1adb932026593b8e79b81c61c71c

SHA1
ca9638d2a1051a595b8b533d26f163c2cd11fc9e

SHA256
cfb609a180025bc56bd2febac455c38b0c7b9a5ebf27bf27458bcd367d76169b

SHA512
359cc54d078c151d93cc4c1b1d68d942729993e0e46758a3285d10f775bd6509cc2d97f93c35d985fd5c8ae2218494e3bbf08c956efdf8e803981ec7cbad7d93

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
148KB

MD5
c0cd1adb932026593b8e79b81c61c71c

SHA1
ca9638d2a1051a595b8b533d26f163c2cd11fc9e

SHA256
cfb609a180025bc56bd2febac455c38b0c7b9a5ebf27bf27458bcd367d76169b

SHA512
359cc54d078c151d93cc4c1b1d68d942729993e0e46758a3285d10f775bd6509cc2d97f93c35d985fd5c8ae2218494e3bbf08c956efdf8e803981ec7cbad7d93

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
148KB

MD5
3ec49edeefab5a273c5f089439da15a0

SHA1
e89c19a4bebf41b44ee034aedabdc265d1b3edbc

SHA256
4598d41cb517326f287572b622dd289e50a900908cc31fb2675d319d62e7f77a

SHA512
e36ac7fd45e398c86c00f68375b93991a9302aff5e7707965dfdf1adb197a2bdd5888c286e20d723a98fcddb4f542dd204b188717f679e2e2e43ddf02d492327

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
148KB

MD5
3ec49edeefab5a273c5f089439da15a0

SHA1
e89c19a4bebf41b44ee034aedabdc265d1b3edbc

SHA256
4598d41cb517326f287572b622dd289e50a900908cc31fb2675d319d62e7f77a

SHA512
e36ac7fd45e398c86c00f68375b93991a9302aff5e7707965dfdf1adb197a2bdd5888c286e20d723a98fcddb4f542dd204b188717f679e2e2e43ddf02d492327

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
148KB

MD5
f05a415f67f9a687b810740e617cd243

SHA1
cb9c06d97bdc4b4b9359dabf6fcdfcf17f54f699

SHA256
a1560c2230047edf610017b12b8f322886feb07bd670d89320d00f8f920f0863

SHA512
73c1abce90d3bdf98ac7f053e7b47633a435ddcb50919e99cb2e29d1530260649086db25cb7fd42fa0437af0c0931e55a4b01002ea2da15e4e42b8884a03dcf1

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
148KB

MD5
f05a415f67f9a687b810740e617cd243

SHA1
cb9c06d97bdc4b4b9359dabf6fcdfcf17f54f699

SHA256
a1560c2230047edf610017b12b8f322886feb07bd670d89320d00f8f920f0863

SHA512
73c1abce90d3bdf98ac7f053e7b47633a435ddcb50919e99cb2e29d1530260649086db25cb7fd42fa0437af0c0931e55a4b01002ea2da15e4e42b8884a03dcf1

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
148KB

MD5
2b091df1bbf246e4457e40ba56082aa7

SHA1
ef1433a2cf169151203eb2022fbc8d3c0de11fc4

SHA256
87390598839919394044fd206f69dca81e3a9c3ad7bb61af07314174a9dc1fc5

SHA512
ae98cc6a942259644a2bd880cb0e3fab13b320588e8a5ecbbcc6db6607c7178218b5e8fcd893599a3c864213f15a1b60508a9cd752f813d599ea235736c25813

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
148KB

MD5
2b091df1bbf246e4457e40ba56082aa7

SHA1
ef1433a2cf169151203eb2022fbc8d3c0de11fc4

SHA256
87390598839919394044fd206f69dca81e3a9c3ad7bb61af07314174a9dc1fc5

SHA512
ae98cc6a942259644a2bd880cb0e3fab13b320588e8a5ecbbcc6db6607c7178218b5e8fcd893599a3c864213f15a1b60508a9cd752f813d599ea235736c25813

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
148KB

MD5
97233774c5a7bf93ce108c153ff7edc5

SHA1
0e4800311b131ae567d28bb93b98a9425350f71c

SHA256
cea5a9d61dbeba57ba4272c6f9b3880b511875e5cc6d9ce6f82f539110dc3096

SHA512
4bd7b414d060668025299b7838ee10db29d46d960c57b584067cffade66ca71232d114130cce62ea73bc15895d6af5aefd4162c2fc7fe870b17314934b5bc9c8

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
148KB

MD5
97233774c5a7bf93ce108c153ff7edc5

SHA1
0e4800311b131ae567d28bb93b98a9425350f71c

SHA256
cea5a9d61dbeba57ba4272c6f9b3880b511875e5cc6d9ce6f82f539110dc3096

SHA512
4bd7b414d060668025299b7838ee10db29d46d960c57b584067cffade66ca71232d114130cce62ea73bc15895d6af5aefd4162c2fc7fe870b17314934b5bc9c8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
148KB

MD5
6fc6d4f4f6326ac46d4554e8611558dd

SHA1
8364ab2af4f2ad3d25a5747cd41c834cf29f5b10

SHA256
eabad82aed5306f5af051ee098df6f4afe37fe2ee36ea4c8348791e784905a74

SHA512
af860b57345b5a10634a7919009137ce88f342b7529f682dbf7c62da1f0cbebce524319d61e4bbdb8de868175c552527f7040d5f58beaefba3659e37e0dfc623

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
148KB

MD5
6fc6d4f4f6326ac46d4554e8611558dd

SHA1
8364ab2af4f2ad3d25a5747cd41c834cf29f5b10

SHA256
eabad82aed5306f5af051ee098df6f4afe37fe2ee36ea4c8348791e784905a74

SHA512
af860b57345b5a10634a7919009137ce88f342b7529f682dbf7c62da1f0cbebce524319d61e4bbdb8de868175c552527f7040d5f58beaefba3659e37e0dfc623

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
148KB

MD5
a88b51ecf451d66ed557aa8e1c0c0385

SHA1
590adba135eb0443630ef48dd9d6debdcab3505b

SHA256
b6e688594be34f8a2c2a4412af8a28472cfbcf9b1a9b6c8a6896c79d1c66a48d

SHA512
9f61688696d6732a7472379ecebde6c8de6e13d64c702986583dc3f0698b90154dc10b887c4479f777a0d485889e6c7e45987b44602882a953b72bb574b15c1f

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
148KB

MD5
a88b51ecf451d66ed557aa8e1c0c0385

SHA1
590adba135eb0443630ef48dd9d6debdcab3505b

SHA256
b6e688594be34f8a2c2a4412af8a28472cfbcf9b1a9b6c8a6896c79d1c66a48d

SHA512
9f61688696d6732a7472379ecebde6c8de6e13d64c702986583dc3f0698b90154dc10b887c4479f777a0d485889e6c7e45987b44602882a953b72bb574b15c1f

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
148KB

MD5
3da7b4c38c6ea5c35a85f37f0b52fe38

SHA1
4123867503caaf08c0823f3064bd1d1f5ab3f1c0

SHA256
95a7a632dc9dc850bc896cf19dec374f34427e17d04f34e9d4becb3bf5cf86d1

SHA512
1b985df5aeb93037cf449f72301cc6e253b9f8e2a18fe99f041f7419acafba100df06cedbfb7d555a1c5e0555ac8c82547fa48221036db64ad40bc54b6d9a712

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
148KB

MD5
3da7b4c38c6ea5c35a85f37f0b52fe38

SHA1
4123867503caaf08c0823f3064bd1d1f5ab3f1c0

SHA256
95a7a632dc9dc850bc896cf19dec374f34427e17d04f34e9d4becb3bf5cf86d1

SHA512
1b985df5aeb93037cf449f72301cc6e253b9f8e2a18fe99f041f7419acafba100df06cedbfb7d555a1c5e0555ac8c82547fa48221036db64ad40bc54b6d9a712

Download Submit
memory/736-228-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1036-230-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1036-207-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1348-280-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1348-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1420-238-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1688-175-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1688-240-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1756-252-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1756-120-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1764-272-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1764-40-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1832-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1832-276-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1960-149-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1960-246-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2012-250-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2012-128-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2036-278-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2036-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2044-265-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2348-161-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2348-242-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2664-268-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2664-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-260-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-88-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2852-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2852-267-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2988-204-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2988-233-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3080-80-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3080-262-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3308-244-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3308-153-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3640-235-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3640-192-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4004-237-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4004-184-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4164-258-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4164-97-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4264-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4264-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4264-282-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4264-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4264-281-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4384-255-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4384-104-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4524-254-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4524-116-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4528-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4528-248-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4624-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4624-270-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4752-274-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4752-36-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4916-223-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4916-226-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads