611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd

Analysis

max time kernel
136s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
Size

85KB
MD5

629b970efcb4ce36f887c8feaadcd1cf
SHA1

aa5a324926d9de3a56bf43d54045b5737c20e5f1
SHA256

611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd
SHA512

2f03b44645c9a9abf10717e3e8cb0d7fc7c8c469fc18fb0c941aca6f327cd7e09da81bb4c21a90bc3f6b501b4ec25df8782f261a1f87cdc8e070955562e7db21
SSDEEP

1536:rTu2mEEFWMUm2pnkDOB6fyICXu2LHWMQ262AjCsQ2PCZZrqOlNfVSLUK+:fu2mEEFWMUL3BCyICDHWMQH2qC7ZQOl3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Executes dropped EXE 37 IoCs

pid	Process
3192	Cdabcm32.exe
4276	Cfpnph32.exe
208	Cnffqf32.exe
2116	Cmiflbel.exe
4068	Caebma32.exe
2076	Chokikeb.exe
2524	Cjmgfgdf.exe
5008	Cmlcbbcj.exe
5028	Ceckcp32.exe
3332	Chagok32.exe
2580	Cjpckf32.exe
664	Cnkplejl.exe
4952	Cajlhqjp.exe
1900	Cffdpghg.exe
5000	Cjbpaf32.exe
3912	Cmqmma32.exe
2968	Cegdnopg.exe
1928	Dhfajjoj.exe
2484	Dfiafg32.exe
1484	Dmcibama.exe
3056	Dejacond.exe
2128	Dhhnpjmh.exe
1796	Djgjlelk.exe
1416	Dmefhako.exe
3104	Ddonekbl.exe
3936	Dhkjej32.exe
2260	Dkifae32.exe
1344	Dodbbdbb.exe
4148	Daconoae.exe
4692	Ddakjkqi.exe
2420	Dhmgki32.exe
4788	Dkkcge32.exe
3324	Dogogcpo.exe
1440	Daekdooc.exe
3652	Dhocqigp.exe
4388	Dgbdlf32.exe
968	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4676	968	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3192	1076	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe	85
PID 1076 wrote to memory of 3192	1076	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe	85
PID 1076 wrote to memory of 3192	1076	611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe	85
PID 3192 wrote to memory of 4276	3192	Cdabcm32.exe	86
PID 3192 wrote to memory of 4276	3192	Cdabcm32.exe	86
PID 3192 wrote to memory of 4276	3192	Cdabcm32.exe	86
PID 4276 wrote to memory of 208	4276	Cfpnph32.exe	87
PID 4276 wrote to memory of 208	4276	Cfpnph32.exe	87
PID 4276 wrote to memory of 208	4276	Cfpnph32.exe	87
PID 208 wrote to memory of 2116	208	Cnffqf32.exe	88
PID 208 wrote to memory of 2116	208	Cnffqf32.exe	88
PID 208 wrote to memory of 2116	208	Cnffqf32.exe	88
PID 2116 wrote to memory of 4068	2116	Cmiflbel.exe	89
PID 2116 wrote to memory of 4068	2116	Cmiflbel.exe	89
PID 2116 wrote to memory of 4068	2116	Cmiflbel.exe	89
PID 4068 wrote to memory of 2076	4068	Caebma32.exe	90
PID 4068 wrote to memory of 2076	4068	Caebma32.exe	90
PID 4068 wrote to memory of 2076	4068	Caebma32.exe	90
PID 2076 wrote to memory of 2524	2076	Chokikeb.exe	92
PID 2076 wrote to memory of 2524	2076	Chokikeb.exe	92
PID 2076 wrote to memory of 2524	2076	Chokikeb.exe	92
PID 2524 wrote to memory of 5008	2524	Cjmgfgdf.exe	93
PID 2524 wrote to memory of 5008	2524	Cjmgfgdf.exe	93
PID 2524 wrote to memory of 5008	2524	Cjmgfgdf.exe	93
PID 5008 wrote to memory of 5028	5008	Cmlcbbcj.exe	94
PID 5008 wrote to memory of 5028	5008	Cmlcbbcj.exe	94
PID 5008 wrote to memory of 5028	5008	Cmlcbbcj.exe	94
PID 5028 wrote to memory of 3332	5028	Ceckcp32.exe	95
PID 5028 wrote to memory of 3332	5028	Ceckcp32.exe	95
PID 5028 wrote to memory of 3332	5028	Ceckcp32.exe	95
PID 3332 wrote to memory of 2580	3332	Chagok32.exe	96
PID 3332 wrote to memory of 2580	3332	Chagok32.exe	96
PID 3332 wrote to memory of 2580	3332	Chagok32.exe	96
PID 2580 wrote to memory of 664	2580	Cjpckf32.exe	97
PID 2580 wrote to memory of 664	2580	Cjpckf32.exe	97
PID 2580 wrote to memory of 664	2580	Cjpckf32.exe	97
PID 664 wrote to memory of 4952	664	Cnkplejl.exe	99
PID 664 wrote to memory of 4952	664	Cnkplejl.exe	99
PID 664 wrote to memory of 4952	664	Cnkplejl.exe	99
PID 4952 wrote to memory of 1900	4952	Cajlhqjp.exe	100
PID 4952 wrote to memory of 1900	4952	Cajlhqjp.exe	100
PID 4952 wrote to memory of 1900	4952	Cajlhqjp.exe	100
PID 1900 wrote to memory of 5000	1900	Cffdpghg.exe	101
PID 1900 wrote to memory of 5000	1900	Cffdpghg.exe	101
PID 1900 wrote to memory of 5000	1900	Cffdpghg.exe	101
PID 5000 wrote to memory of 3912	5000	Cjbpaf32.exe	102
PID 5000 wrote to memory of 3912	5000	Cjbpaf32.exe	102
PID 5000 wrote to memory of 3912	5000	Cjbpaf32.exe	102
PID 3912 wrote to memory of 2968	3912	Cmqmma32.exe	103
PID 3912 wrote to memory of 2968	3912	Cmqmma32.exe	103
PID 3912 wrote to memory of 2968	3912	Cmqmma32.exe	103
PID 2968 wrote to memory of 1928	2968	Cegdnopg.exe	105
PID 2968 wrote to memory of 1928	2968	Cegdnopg.exe	105
PID 2968 wrote to memory of 1928	2968	Cegdnopg.exe	105
PID 1928 wrote to memory of 2484	1928	Dhfajjoj.exe	106
PID 1928 wrote to memory of 2484	1928	Dhfajjoj.exe	106
PID 1928 wrote to memory of 2484	1928	Dhfajjoj.exe	106
PID 2484 wrote to memory of 1484	2484	Dfiafg32.exe	107
PID 2484 wrote to memory of 1484	2484	Dfiafg32.exe	107
PID 2484 wrote to memory of 1484	2484	Dfiafg32.exe	107
PID 1484 wrote to memory of 3056	1484	Dmcibama.exe	108
PID 1484 wrote to memory of 3056	1484	Dmcibama.exe	108
PID 1484 wrote to memory of 3056	1484	Dmcibama.exe	108
PID 3056 wrote to memory of 2128	3056	Dejacond.exe	109

C:\Users\Admin\AppData\Local\Temp\611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe
"C:\Users\Admin\AppData\Local\Temp\611bf802766c2c190c57f3c4f977f225f9b445f3c894d5ff1e6593187ed1e6fd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\Cdabcm32.exe
  C:\Windows\system32\Cdabcm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\Cfpnph32.exe
    C:\Windows\system32\Cfpnph32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\Cnffqf32.exe
      C:\Windows\system32\Cnffqf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        38⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 404
        39⤵
        Program crash
        
        PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 968 -ip 968
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
85KB

MD5
8370a7be05511cf2a39aae33056ccfd9

SHA1
58e9cefa4f62eab893344f8380386dafb8111dcc

SHA256
94ecf86c3faf28d0cd1d371eb9d3c96c1040ec5ed542663cc2f68bddf1d65d1d

SHA512
a1412987a88a46d2250b85243f44f96b9c30d379a040e86998f847fef4f72e1abdcbbcc4a8b5120918ffdf8c83b31a06d2d52d840c1ed8419cf3d593d9e8e878

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
85KB

MD5
3312b32e34293a4b8983847558c2c147

SHA1
c341e7d243161f1fbe4d6580303746cb792394f7

SHA256
314f35098e84debb73a3fb80cc1740ef182a3bf1ab6594c13ca35d31d7b93003

SHA512
38281be80f26d85ec4ae02cc48daf5fac812c2cdc23b06b561decc4efb5182a6f5a5383a8de971905f8c1b8440129373d0061e2442b37b40bfa311e3038323ca

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
85KB

MD5
b41238219fdde3f995fa4419cef713ee

SHA1
8532d26a6d310c69e9c539325e1a1400c954ee09

SHA256
29b7d4858a22c0574329e2646a139d5286d93b042c5573c5a2e8b2879d25d4ac

SHA512
88dd3abc0a25804e235ae3127b5a7ae35918bf1c74c16b8113c5a45753acd4a9b266c281de8546d164929abdb35aec1504b1461187cb0f411c8edaf687a74bcf

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
85KB

MD5
cbdffcd0dd8433907cab29ad2e2a209f

SHA1
1ab34cfbd2e468e8978d93a950fa5b48843654ae

SHA256
7d7ee5ad16b385fc2a4250d94cc9a2a79700d75281ef613faa854d4c000a5905

SHA512
e90c9741d4c16bbce791a0531d587d7bc0099008c8cf0868bfb2cfdcb629a54f69208f3dab6d4f05631ffce5f495d9bad0b5a8db52ad9e201aca212bf74e918b

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
85KB

MD5
4518285888cdfa3a6422934eae55ff61

SHA1
441eebac46c0829fb31bf0c9591ac7b86da06d11

SHA256
0d65289dc1804a69eb2777fd7d74dde73dc2973d516187b3176ca763b273e93f

SHA512
69858cf2dd2efec4406b61686233d7e9ddf049625a1c6bb465b541749796e2ec99f1f0a2514d4778e181e9ae21e049343215e8a26ab3a73f0fe5465f275c66aa

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
85KB

MD5
f0086d177c77c09b353b59e7edd6c5c9

SHA1
6965737124c93aeb834568e0adb51345bd184430

SHA256
4d121b036a08fef55b477eb1dcf08092e71b1df2a0a03e708de37f6e4421b51b

SHA512
21fddbb32911bdf70105cdb81e8410294729435cbdaa9043a138b45e2b3a423fda56ec6d0bf6df640abd9436af1a3fa28cfd2509918c5d199fb1547b974768b7

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
85KB

MD5
4bf1fbaa410407de3a6d7ea83bf59dbe

SHA1
a8aa7a41aa3c4869089c64145d8b0fe914eda14f

SHA256
df4e8e743559ff43f801876e2ed1d0b64c64d0c8a69360ad041737e42d36b900

SHA512
24f247a40f59bc674602248cdad28420130a96d132a5e5c31b0afbfdf3f2b570c5642ed02c977beef3ce5ab41119ab2378ad8046a483f211d383d69629a93dfe

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
85KB

MD5
198164dfe2d1fd98e30d8f65931abf1a

SHA1
8df0915b4cc5d62a695975deb97bafa17ac56a48

SHA256
1a85bfe6fe8b687529f230888b254d02a0aa0779a3a2b83433d062bcb1c6f6d0

SHA512
23ad5d49068d912527b75bf5ba151c7f7a813c612f6d744484102890122b12d76f77ae3cc440db1ccae34436e039c8774b1e4a8a854f3bc150b3249e7d43bcaf

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
85KB

MD5
f57e127605aba1dfea2a37bcc2d1743c

SHA1
04382d3b4b4510858e7105263189f437e0c9a462

SHA256
fdb386f941aa444dd8187c68bb67234eb48c9dff8e05bb8343d6ca9a98748100

SHA512
5f94c39db33286f360cd76c6936cf5d4f369f8d40487d4cfec1baff66314b01854a76cd9b6c1205e5a6b165d526d0d73b1cc5ead184f1796f98cb552b425e404

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
85KB

MD5
022238f49969fe230b7ff65984bc9f59

SHA1
7362986875bfbda7c15c76677686757145f47ef8

SHA256
edaabb48922c5a9ce5432c08abbdd34fc3eb390b5aa70dde0ad0e6c0d727295a

SHA512
08686ffabc965df17c78f4c3ca9f192b1a3c9fcb9a08db98c883f4b2bf88f0c3d73c2372bebb23b43b5ed10250e6ae0d8aa5bda044185c63afd2cd6a4c49beb4

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
85KB

MD5
3998204fb7b4e1f5f228f5cfd238b79a

SHA1
cc70851db0a4d9c138140b9e361ff37d9ecf13af

SHA256
921886ee9c371349120a0ce895f8fcb8e9873c7d7f8cdea13bef5ff353b905f4

SHA512
f93fca91e5e3c17d66823af7c518861724ef390daf8b4f7f1b36591551a55ce7ffdb844bec6e3878b684d8a7293eb5957831ce4f8060d63377f295a7c61a4d14

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
85KB

MD5
eb6afcce90d50902e1551c5e9787f6b2

SHA1
2d6d307aa60488f8dd75af96cc1f949c936261a4

SHA256
41666709c39c1364f488a3173b5807fb2d036b68299491d7c620e7f55ee5ec88

SHA512
f93771686f126dc7277b750840e9f45c0b0b85eccf9fae29810b82b3083362d739c87d852c7a02cfa05cc7142a91739fe2c0dfe7c2c0de43e2d138398250e80b

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
85KB

MD5
8813c6bbd14817f90c30280e475e00dc

SHA1
99201c2b0c2d40864bc8eb2edd7204c00136ba88

SHA256
1d68fb4bd6f1b489d3e1a1a4dd47b0097d6d42742af17c1e8b975d9e61369844

SHA512
b41e1b97a2427f36b322173a16e005617b06023d1ae139f50988128e3291aa32507abcb6390d627314c3ecb266010307f06061ce85a97badc9b7fd4ae5d1082e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
85KB

MD5
5c311a1f0afaa914e12f166b891967f6

SHA1
4dd6624ad67a206d8c42b94f129d185a44b57438

SHA256
667419cf1d12d59eadade9c3bdf2cd3e4a237d8401301cc97a39e81921053e0b

SHA512
1613264474b9fd400193e98a6dfca1880cf39e83f67571bc4bc196e77152e841831733b257d9bddf44083b6ea286cb7c307f3c2445c2d2e24481748551183079

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
85KB

MD5
16f409deb78ecbfbf0d68269e941cfb7

SHA1
7ca31722e805d95d277791d576704e06ded4a9d4

SHA256
f652de12f5462a5704a3bdf1da77a0af46616194b06a49fe76cb51e672e09f5d

SHA512
a5f6296b219271ae33a5ea53c5f2532e1b639d24b8bf84af06348bc792f933f6e853e6dd784d0e52a6609584b4dafcad309eec1f74ae727850c7b9021b07c8ab

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
85KB

MD5
9c75c9d3f8a06482d39d256171b8e26f

SHA1
a19cabccc2d1bfe6a903b5c222d6755deab2922b

SHA256
e37d4baa09417903a6856539f678b30c13b0ff69cadf82f9ad04a8fcf41f1df2

SHA512
d5d437c14a2cebe96c3c7146b5576c55ebe94597c98460c5f710ce88bb661f392b76291c36ceeb0001dfb4bbc3db89f3675fe3966ae28100f822560dbed1a95d

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
85KB

MD5
3c1f350f460057101c8ef807dfdb58cb

SHA1
0ca412f6ac4cbd4226fb398a78f27246a43bf87d

SHA256
57ee525126cd32b724797ab11e76e334eb66563fce6c39bbd50969abe00e8643

SHA512
a10e89da06211a8c095488493618126af941375ac77d0f53b37893b3c7319570f3aaf900fb69ed402ee4f475fc6e439713372ad0bdbbfcaef2f7e1c9d080affb

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
85KB

MD5
d3b16301e992ba442fc3758ae5089ec5

SHA1
3e6913eb9d3897987f0546e0581b9288d7fca107

SHA256
c167f5cc2b33db3acde726fbc7450d289f46b62912d1aab670c231a9a807b761

SHA512
e19478a23fc4eb2aacc4b2c7238d23141b01e8a8d94fceb90b537778bb6f478fad91cf9abf0acb5e8dbacc9b6df233c374fe08c1d68b6b11051540e0676b0341

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
85KB

MD5
299099fbb1526c7451a143841179ac16

SHA1
8e0791015677f2a69b26654a96fd3362aa4de9a6

SHA256
2412fbc0822dbf07cee02255d7c3abfcada347258ee0b36ab0c0b2d112cc802e

SHA512
058cc6cb6a79be99b5bc096d9ab0b5928f5f80d5f4e24ed61f766c68e5faac33ec48f768d6f92735ce49a9ddeddb35ed08fc4f9308a725bf95a27a772ef0000e

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
85KB

MD5
752c5de7894e117bc20f62bf823ee7c5

SHA1
ed6d51da133126a0d6c9048696ce3166dd7e1e2a

SHA256
f9fcff81dc463d85e0cc71bd6c0535bc34a6e50c891643201a2eeb144e28f6da

SHA512
70de16c43329957caef3c120ddad970a8c85c4da5bf6fa77d70bd384dea0ac47c6fed3d3e6b36e3722ffbd4245b00c7c1c9ac8eeaa401a437c0ec9ce9b994f55

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
85KB

MD5
6e9b75ae47edaf1c2268bdf2db7645ef

SHA1
94bc023f5bf101ee3e37a69d0e5929c937ce8ed0

SHA256
84f49ce00ccc1eb473bcb1555f3f71accec1ebfc9d3161526db7e6234f26c96b

SHA512
50c3ed34dbf2d8c5f02f1af4ee4b22b419a0d8a48e09a5a285e3dea1903364ae66390519ea80a2e49167ef42859b58021f8d21e578882a685d4698d3cdfb26aa

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
85KB

MD5
13e158fe114e7d2f642c6558758e57aa

SHA1
d4411246680620c277e1c0d09d4442e24ac9b99d

SHA256
724f2f56a1d0be8387bcafc7d95a93280aeffb4d2fa58bbb3a49e9f449a7e6ad

SHA512
ecdc4140ba58c052e543a4862c7891149accc1cf26ef301624b54315132374e04d100863c1a91c4d566d47113d90607156f8de22987aeace463ce2f9ae863d2c

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
85KB

MD5
35cd77ce39994406518ef4205f47739f

SHA1
824c83c91901d447c807b8896082c7681d9a3ce6

SHA256
604454f81bff4bac1409af5ee28eed011f6a15ef6eb966f3ff27a29169c413d5

SHA512
cbaf3b7e4b92294032c30d2217a09ba7a3c33ace29ac895761bb63e052b1063aa3fc5a1c180207131725ed40f996915e0177ea3ab7c93c2d32a0c76e05288778

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
85KB

MD5
436b8b2dc11b7e0657c7ad82b4956cf7

SHA1
195796df34f68cda9f468fc6eb080ff19fdd5c08

SHA256
0603e5d5e250d6c30e9e46598564d917b28ced3ab4519b47a3042ec1dcc69ced

SHA512
87f0820c111a042398d8141f29b4aa7d088e8dbcbd0bca20718017501dc5934fbe191535ee78f967f044489d4d4ffa3864832a4bb23f66ce016542c0ab927c7a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
85KB

MD5
5ac51180e5d32100708fa3de297b16e4

SHA1
0da7c9036fa3f0be2a1d4af53cc958410c7ef489

SHA256
1573298fbbbd9ab628e11ee30b6ffc6e7aafcc668340b7db26c75b7d22473076

SHA512
843242462a71bcc4c4f4b0a8a05265e996b40bc5f62fc72a8c458b67540b334ab6a13a05797e79990f5cd1edca633e6e123f1b24bdf97512fd467927b44b1cb7

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
85KB

MD5
5674fbbeed83d572d59975ec45a63659

SHA1
3373840752cff7a899988b1eea618f8133395175

SHA256
7f939dc172adacd6759d50da4fc16c3bef2efb84ef4eaa08682a7d3080b8c552

SHA512
6fd32e83fc28bf99466cc6740264a7c8c3a57a7f08dd39b6d933f2515cb4c00c12ecb57027cba4ff19eba959f1aaf539a05a1b47007d5bff8cd62acdd3fb19b5

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
85KB

MD5
06c86f4330226cfdf4c61c6fab85828d

SHA1
bd70bc81576daf4de3f1516d7840861727c1927a

SHA256
5e46a45f184e918cc7d162fd1eba9cb50cbcfbaafe7cfb59a817aa08fa128681

SHA512
e4384bdbdac71751440813d304f87283ec68566397f552f2c8e56fe42b4e12a9a83ff31bb9ef09e90b7d2a9009a0c6da93208406251f194f73e6805295160d0a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
85KB

MD5
6f385e153f04d42c9965ce462de4e655

SHA1
027411c96e9ee227672ab75168f4b30938744fb7

SHA256
6ad8e1c9582c0972869379cf6bb12144f3ac85a3973ec2a96804411b281d9bf4

SHA512
3426f177f9d9e3211004dcecabeb3b19282f5de67b62678126224d680c57c8861e092fe72cc290c464b7af995f51c69f1a9b93dfaa9ba2ccfddfe92754b4fb1f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
85KB

MD5
e34de15744a0b979dd737bc0370de2ee

SHA1
1f93e95ce3ba2c57f35589ca724fb09d9ab4e9cb

SHA256
5ceef8bbdae5ee940a54296776ae313289ff6f7aa279f63bdb7e8ffa210b5f2b

SHA512
c9530fd98bc702dd120780d30283b10b652c68c53a5f53592b5e4f64bc87d76a6b95ba7e36a7e3751ba96a7bfc3564b1692feb2ecab229ce3ceab9f825e51d8b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
85KB

MD5
fed2ef6e2a6a2a0c56fe965bd1759680

SHA1
d734a6f9000c8596cc157fbb2ff671cf9c19a8eb

SHA256
4fbad15ca73ca228bc858f4020883ba4c6c8f6066c4ef1747b427207c191707f

SHA512
ec41d3bc3d0b2b936da7bf4a08924c933ec602f6a354c49ae808535960f609169052a9ec426ef39d965a9c21f1fe5d00af2c049c2a18de60e360205bc7bbb817

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
85KB

MD5
b47ee0a4384eaa76c12fab6bf01ece1d

SHA1
2a94a24b15a1d2d302d2b7fe87553d1b65f6845b

SHA256
153c233fc5fd218febc09dce02ab46c9e8462fb230cbe54e0f0e3e9e576c46af

SHA512
0e3379f5c894aab6a2bf6ffbf1b6bde5a033e1b73789c104e43a5102312500ebf1a07b9cea28a0918945083369208be5238c8e040f52a071f5f9220b0ed99af2

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
85KB

MD5
3ca34024a6a964db21e614e872179238

SHA1
3da6b54c3f6dcccd641a2a786995f70cd6710c84

SHA256
a32263194735bb1fa960ce95b4b10ecbb619387c8102b837e713407218c71423

SHA512
09517e4089c07ceceffcb098a65c0ab2b2ae59ce44e6ff7cd8a9c04da29a655e242dd777eccb737fab67d89d5eaf9f0a8ccb9c6f4de271919576b0aa88e48d04

Download Submit
memory/208-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1076-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads