749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Size

95KB
MD5

33fa0a551952334438a7845da05ac750
SHA1

f99af1457de4f0c050772e856e0024859095e051
SHA256

749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42
SHA512

369a3562142dd8248b28383e6974a4a4bb5bb466c42c3b914c5ad9ff83841c6fcff1b452cd6ba66cfb5e9b2303bcfe7a79a3f83f1c94baeed0462ba0173f7c38
SSDEEP

1536:BYYBh15NSjnEDfjMm2FCQtRhQpi3AiRHwrv3twmtXFMz4GWh5BBAOM6bOLXi8Pm2:d5Nm6fTytRhQpi3A04rMz4XVBADrLXf7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe

Executes dropped EXE 35 IoCs

pid	Process
2520	Bapiabak.exe
4252	Bcoenmao.exe
3992	Cfmajipb.exe
3564	Cmgjgcgo.exe
4020	Cenahpha.exe
2228	Chmndlge.exe
2592	Cnffqf32.exe
1560	Caebma32.exe
4900	Chokikeb.exe
988	Cnicfe32.exe
556	Cagobalc.exe
812	Cdfkolkf.exe
2044	Cjpckf32.exe
4692	Cmnpgb32.exe
1500	Cdhhdlid.exe
2032	Cjbpaf32.exe
344	Cmqmma32.exe
4980	Ddjejl32.exe
2316	Dhfajjoj.exe
4876	Dopigd32.exe
3148	Dejacond.exe
3164	Ddmaok32.exe
4780	Dfknkg32.exe
4044	Dmefhako.exe
4896	Delnin32.exe
3232	Dhkjej32.exe
3668	Dodbbdbb.exe
4788	Deokon32.exe
4320	Dhmgki32.exe
4752	Dkkcge32.exe
1728	Daekdooc.exe
3244	Dddhpjof.exe
436	Dgbdlf32.exe
4512	Doilmc32.exe
4732	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3336	4732	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2520	2892	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe	83
PID 2892 wrote to memory of 2520	2892	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe	83
PID 2892 wrote to memory of 2520	2892	749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe	83
PID 2520 wrote to memory of 4252	2520	Bapiabak.exe	84
PID 2520 wrote to memory of 4252	2520	Bapiabak.exe	84
PID 2520 wrote to memory of 4252	2520	Bapiabak.exe	84
PID 4252 wrote to memory of 3992	4252	Bcoenmao.exe	85
PID 4252 wrote to memory of 3992	4252	Bcoenmao.exe	85
PID 4252 wrote to memory of 3992	4252	Bcoenmao.exe	85
PID 3992 wrote to memory of 3564	3992	Cfmajipb.exe	86
PID 3992 wrote to memory of 3564	3992	Cfmajipb.exe	86
PID 3992 wrote to memory of 3564	3992	Cfmajipb.exe	86
PID 3564 wrote to memory of 4020	3564	Cmgjgcgo.exe	88
PID 3564 wrote to memory of 4020	3564	Cmgjgcgo.exe	88
PID 3564 wrote to memory of 4020	3564	Cmgjgcgo.exe	88
PID 4020 wrote to memory of 2228	4020	Cenahpha.exe	89
PID 4020 wrote to memory of 2228	4020	Cenahpha.exe	89
PID 4020 wrote to memory of 2228	4020	Cenahpha.exe	89
PID 2228 wrote to memory of 2592	2228	Chmndlge.exe	90
PID 2228 wrote to memory of 2592	2228	Chmndlge.exe	90
PID 2228 wrote to memory of 2592	2228	Chmndlge.exe	90
PID 2592 wrote to memory of 1560	2592	Cnffqf32.exe	91
PID 2592 wrote to memory of 1560	2592	Cnffqf32.exe	91
PID 2592 wrote to memory of 1560	2592	Cnffqf32.exe	91
PID 1560 wrote to memory of 4900	1560	Caebma32.exe	92
PID 1560 wrote to memory of 4900	1560	Caebma32.exe	92
PID 1560 wrote to memory of 4900	1560	Caebma32.exe	92
PID 4900 wrote to memory of 988	4900	Chokikeb.exe	93
PID 4900 wrote to memory of 988	4900	Chokikeb.exe	93
PID 4900 wrote to memory of 988	4900	Chokikeb.exe	93
PID 988 wrote to memory of 556	988	Cnicfe32.exe	95
PID 988 wrote to memory of 556	988	Cnicfe32.exe	95
PID 988 wrote to memory of 556	988	Cnicfe32.exe	95
PID 556 wrote to memory of 812	556	Cagobalc.exe	96
PID 556 wrote to memory of 812	556	Cagobalc.exe	96
PID 556 wrote to memory of 812	556	Cagobalc.exe	96
PID 812 wrote to memory of 2044	812	Cdfkolkf.exe	97
PID 812 wrote to memory of 2044	812	Cdfkolkf.exe	97
PID 812 wrote to memory of 2044	812	Cdfkolkf.exe	97
PID 2044 wrote to memory of 4692	2044	Cjpckf32.exe	98
PID 2044 wrote to memory of 4692	2044	Cjpckf32.exe	98
PID 2044 wrote to memory of 4692	2044	Cjpckf32.exe	98
PID 4692 wrote to memory of 1500	4692	Cmnpgb32.exe	99
PID 4692 wrote to memory of 1500	4692	Cmnpgb32.exe	99
PID 4692 wrote to memory of 1500	4692	Cmnpgb32.exe	99
PID 1500 wrote to memory of 2032	1500	Cdhhdlid.exe	100
PID 1500 wrote to memory of 2032	1500	Cdhhdlid.exe	100
PID 1500 wrote to memory of 2032	1500	Cdhhdlid.exe	100
PID 2032 wrote to memory of 344	2032	Cjbpaf32.exe	101
PID 2032 wrote to memory of 344	2032	Cjbpaf32.exe	101
PID 2032 wrote to memory of 344	2032	Cjbpaf32.exe	101
PID 344 wrote to memory of 4980	344	Cmqmma32.exe	103
PID 344 wrote to memory of 4980	344	Cmqmma32.exe	103
PID 344 wrote to memory of 4980	344	Cmqmma32.exe	103
PID 4980 wrote to memory of 2316	4980	Ddjejl32.exe	104
PID 4980 wrote to memory of 2316	4980	Ddjejl32.exe	104
PID 4980 wrote to memory of 2316	4980	Ddjejl32.exe	104
PID 2316 wrote to memory of 4876	2316	Dhfajjoj.exe	105
PID 2316 wrote to memory of 4876	2316	Dhfajjoj.exe	105
PID 2316 wrote to memory of 4876	2316	Dhfajjoj.exe	105
PID 4876 wrote to memory of 3148	4876	Dopigd32.exe	106
PID 4876 wrote to memory of 3148	4876	Dopigd32.exe	106
PID 4876 wrote to memory of 3148	4876	Dopigd32.exe	106
PID 3148 wrote to memory of 3164	3148	Dejacond.exe	107

C:\Users\Admin\AppData\Local\Temp\749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe
"C:\Users\Admin\AppData\Local\Temp\749308957612180cfaf4f62f5661709c590397734c9672bdf09055f42b447a42.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\Bapiabak.exe
  C:\Windows\system32\Bapiabak.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\Bcoenmao.exe
    C:\Windows\system32\Bcoenmao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\Cfmajipb.exe
      C:\Windows\system32\Cfmajipb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 408
        37⤵
        Program crash
        
        PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4732 -ip 4732
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
95KB

MD5
879344367dedb67ec1301c89a9a6e0ff

SHA1
cc8a96ef38bba209750d9e3878973418bc972338

SHA256
714695046cca7219303cd7aa6b6ef5d2a1358f1099c894e7f5fbd2791ece4ece

SHA512
edf93ad3177a9b795b5b899418410cd32a7972f1ef6c258ff74dc220bdb774defc14daf35b08ac1f406126fbd6261065e7bfd741189afa87c92de2b795955e56

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
95KB

MD5
2e25e752dffb793155359bdc20a879a0

SHA1
3ac199fb73a9f89ce36d4f3b517c65c2cbd3f1a8

SHA256
5ea7325e047118a210bd26555d960581750c725db5f61d8437b0188762a395ec

SHA512
51a36b84757ed7cc0d78b190840d3412285a9cf76d59d23c7d22bb94854461a13c1fb89fe6a52128e56ec0ad563b0043411603881ec4c0b95f8e268aaf56b77f

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
95KB

MD5
01d5d37bb87afee76982ab6c61c30f1f

SHA1
566034aac3d4ba0b13d4f66036cb61dfa3767a9b

SHA256
99434f61c266bbb338f581595ce15f0d27bb2701b550b4b7f72ffec6b902548d

SHA512
a5ab4af8f1b7f3a849e9221ffac7076cb17328902ec503c3d361018a1ad923d01757fb8dccc0c5d6745653d9a6c7af5a7814b6a1d1ec0a44aaf79fd901732687

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
95KB

MD5
8b6912c59473c380a40a5d05e59f0023

SHA1
e7d549cf74bcb63b707d8786afb715cb98387e9e

SHA256
621a0a8bd7486d6d872434e27d10db0b6945ef599176b32e3bb95fee31bc27b2

SHA512
9983b6b7692658f8618f81ad8bd940773973623002d923eee01ec79883f691a4edf0e549eefa4cbe4cea6afe7ec4fa17a1be07d03bb1c6ef577e4b81d6194ddc

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
95KB

MD5
fc224e10bbbb337fcdca09c2462f9b08

SHA1
c313621adf6e3edae32f589b73043abcfd4f94a4

SHA256
511fd05aa5400bb0e61d0fd575449400bec17be9b7cf68768054d09d4713b2c7

SHA512
01635724aed919db1242a86b8c739ee1b958315f367c8c97e10e47c53ecefe8a99adfa8259048b0e6e9a7d84701101e792a29f0138d77886b24e4b093ee2f858

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
95KB

MD5
4ed0fb464971aa39e89f3c745cf6de8b

SHA1
0491c2b550c3a828a59c05f001358ca0aceb3c8a

SHA256
f6596e24acc5017d758a28444ab311464c235886d4c7800fea7a61a29ee8b8b1

SHA512
6d01885070709b06a019ff08f0cfa01f7b2773d865d05a0438e401e529dd1ee2b0965bf03e9fc7e7592ff4d5515248f732ed9b80216537803eca39bcb6055bbc

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
95KB

MD5
43748d7a3613e74ee16a01176c91acfa

SHA1
b6430b96d9814f342ca2037ceb1dbf79ee31771c

SHA256
fbdef1b717dc59461cfa595f6dddd4af5a632bf1ef148a590f1b2ab7debb9241

SHA512
f441ef2fc7097c90b1f3c9ee8f35bdf9650da5163a776211fd60fedf50df5bd57a3e583acc48133c163312c770050bd60f7fc0fa9cbe0559e41c24f621b9f31a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
95KB

MD5
8a78ee7749bc71992f2d4c81380ebe05

SHA1
9a9baa47c1813efddcf98510f4d5351a156c247e

SHA256
29e5e780a5c53a19c7bf568d9b1afbb3d37f4d666cf133f58c1224b8bc719dd3

SHA512
22c940f7ec41bb85c620574c71ba5495fbfe36be9b67ff708860cc61c7b590c04cabc5edae366e2757b6850fc6361851ca248178154a804e67fd8a25aa55f8e8

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
95KB

MD5
7b88ff6d24047aada4a5872ced856dff

SHA1
ae460c9b47bcbef61ad2e6969bd81137becac599

SHA256
701a492cfa487a57aa5ff0fb7c154823e7bea879ad856cc681d006400adf5cfa

SHA512
473f1d6bb3faa3e0ccb5cb300e7e3e71ca65f2f3f7c7c0db64861a4f6c36bf01238c4a16abac94c7a2ca7aaad223e28cb1716aa01e60a0df9a4b852054faacf1

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
95KB

MD5
e63dc87c8aedc8230ad993303d7152f8

SHA1
4252d9c4ea64544697976469987482a0082ade95

SHA256
1dd58c40af67228fb6291727f751392649ee5ae5ada40fd42596000f1463a6f7

SHA512
5eaca6ec4c321362bd809a88fa34244c3726661809ba1c746520c70cf5a09f1a6f7f294894835582f25fc42cb8e99bfa46d9daa1caced932beb64e5e30d21d8b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
95KB

MD5
febb4f72f4dd480c9995677f54bee531

SHA1
3d8675fea80644fc482ae2195deba32e066f0724

SHA256
b3f5c6dbe10f58333da48e6f6316f6506b46e2d3e12807b36dfd9e385bff2329

SHA512
be9afab5de8c4f9e82770d3f2f9faba387dab3ae68bf35d93e322322908d56a9bc76ae05095e6efeff97fce3e09fdaf9f2771682bef4d0275d3c7cbcbc8e835b

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
95KB

MD5
94a82b5955dd34f5994a06ecfcff265e

SHA1
e030fd7df9a9b44f3f110eb7ad8d7831c3130196

SHA256
dcce47084d4a4795cfbe111843fbf433f2b60f8882220fcf7f71e6e869c9a045

SHA512
20eddc7fb81677277cde5d988308f454a3f0ca8e36fe79fe276c7187d5d898b51fcc2e17a3d2a014a8c166e4b518f3c6cb22b8ec1746de3b35f72be73631a57f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
95KB

MD5
79b41ee8be24222e7f27cfb1d0eaba64

SHA1
9ad07c8bcea5cbd76ba8299568bb78d11e73889b

SHA256
b8792a202384cba2bdc04570392fb90d2f85da17a45035931115378dd0ed5127

SHA512
3b8b2d32b91c0264d10763dd27696bd3773b355c6caaac9b57f418112edbaa1202a210e40947b2d6cbee565a6af0ca8e89ff195524456649cee200cceabb629d

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
95KB

MD5
c271429567d5475437c6fbab3b96450b

SHA1
fa79476f5d81e64fcb1ebec19a8d9890556bc11a

SHA256
0db40dc607254eb575971df3f36ac3297a33764a1f47193a6e888e145826456d

SHA512
fff524946a6384269585fcbb123e51869e11bff6ae746a75722212acedcdeeb9f5ace7d753882ca26f1c6a15307f2f16c34b947c1eb1173045ddcc2d441d4e31

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
95KB

MD5
edbfc64733e1b74e54e88d34909a166b

SHA1
df73686087517be209398906efb94dc1b1f7ecc1

SHA256
e29d607964da269c10678101ca66bad331e48187cb6e8aac595cd147595c5c05

SHA512
b6a5484c6c4b3ca0da732efc1fbcf2fb5b96d1e74ebbdde07428dfe688bb06478d8f795476c84461b7aeec2747c532da591f4c6f843452bb74a81739371ff712

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
95KB

MD5
f25c3b107ceca83d081b06bb6f345dda

SHA1
4fbd78656515142e675a840a050666a5d527d18c

SHA256
2bd1877832332064b88e537b2cff13ae2630867e4aee6adb4a786ff8d9ba51fe

SHA512
a49e3822d2992fb7ff9471ef61cbe274745f858a396981f74bad4ac6b87873efda018986fc664054899031a46936aa91712f87c3bcc0ff1db7225adbfa519a76

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
95KB

MD5
47e59bd5faaa6fda015b7e9c2b1f9adb

SHA1
81f4897481a000fb6d81d5e30756d914d03e5526

SHA256
a273857535bb06d302d839fd374669e6021753c0e07f57c6b033a7c5c1bc7dc8

SHA512
601c9e787077f38c12fbd2c712622c9e37c649a51cc24c85943f001ee0a6ccb231629f29b7ecf084b6cd3c3ee7cb5f7629729c59e4dbda166e1a92188c1ced9f

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
95KB

MD5
a6a2e093898233a00a6671ce3d5ca770

SHA1
47be15790cea1ed99bc1cca237a16783efc176ac

SHA256
3c6e43c7477e735947b33b4272696104587b93cff2e9148bb1a31c9e8300e1d7

SHA512
3cf4b53d5b19d3e2d53dce801a512db5a07c107fea2595a1b1f23b6920b37fa202e1b4b3ae478547109a19bb5fae01a707fb9b64a54c8cd3bdb4ce96d7c08f32

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
95KB

MD5
ff12bbc2850d92bf8beeda8d10f2192f

SHA1
a76ea2ba23e500dacf0094d098fa7279594d8d6c

SHA256
85ecb5f15cec66d844a0bfa78948820e727db45675d2f628e9ed5eec1bb48f78

SHA512
b3b59b734a1d674a66ee7e3637d9f20e7abe10c8e38d4ef30de7b536fdd39d79dec14f77bc292668e73f64f7e4aff06aa3c59da9ff1fda436999803902aeb5a9

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
95KB

MD5
32b435c0e2ff401b3a0c2a08aa84a55a

SHA1
75a450ca6c5e123b0b2242bd601b867e5568ee80

SHA256
52c655f953da17036535bc04cfd6783ff575e001a0a47a566dd36c3f640363a9

SHA512
831c8233c9b67f159a9bc0d01ef78edf77964096583bd3b264aa501ad641ef9738e8a23f5afd8033c3553bfbb80e6e83fcff933060e5f5dacccd0b2b22284007

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
95KB

MD5
26b0d5863ba731a7a760904c7ff8c725

SHA1
0d7019751061b23525beb1cbda0c7dd2f170a1e6

SHA256
3d6f3f875eae6e9e07b5a8b8848076bb5881ace3f899c2efca5c6fe99acb26a9

SHA512
978a2258a2ff60f2b86c43c80840dcb987badd076dbbf72f2d30ef97a92bd6d9a4278f7d18da8762d208c58b07f33d91f68fc9964d1ff097145964a3a730f3f0

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
95KB

MD5
9b39a182ade31e4c5003cac1fe492f2e

SHA1
12dad4f92aecda53f3b3ea2cbdc5d7c2637f8b08

SHA256
48b4e7fbd1011a1de96a2822c30516d586b615cc41668d64c88cb61a19fe3744

SHA512
3d2ae5695bea41b82a42773ab0fa5f01701681d10a2f8eb2de0322979469fe07bf9fd1ed30ec328d08bafaa1349e9a2320569cb62e5cdadaba3fefc52c798a47

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
95KB

MD5
35cf06d74c1b1c24f1a3627d28ba2b2f

SHA1
ad2697ad7412bed1579c62838854f1db8bd4e5fa

SHA256
40fe8426b9ed85a9be90b29b04ab9c2800fe2a7941282f9f23fac00e2379e2c8

SHA512
ac7bb51f980d8c47c2a5235a3c0994829d6e14df6ae7e4492071724f92a17bc55d28954a91000c09d9e92f4ce018a43c535df76ae0b7b858d56af60224dee93c

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
95KB

MD5
afbd35af369d84b1174bbc8d7c757ab1

SHA1
9b63585e37ce11e24ef6838d9740fa5ede97a930

SHA256
d71c8bca6b9a9b059710da829b7b8914e2602d17719b8d821cd052bd1c571f9c

SHA512
3b06389976f521612174a328bb2c5a834c9e408f8ef61bd1183f5e6b6b87cdec02b801628ce2de494a04c22e6e88c98bfa5e720289fecb29a9bbd12b067a9b73

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
95KB

MD5
ada2b51f6aadb04d60a646fa800665a7

SHA1
dc17dcc6bd5038741bbd51dce11e43691ae27f84

SHA256
8371c0c4c6be1ad055e890b2ff57fe4c0d9b83b32154d60a84c7912cf1126e3d

SHA512
453b6a819f56d042f65b5291e28dec2dea8317241f7bea834f85231635c428356306551ce1f71f60de30124c036861d7c153b33158ccb5839c83cf6c9a7917e1

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
95KB

MD5
5809bef57d333532a71d77ea3365fbca

SHA1
91fd57285a30ef16eb155d0912dd65f2ffef68c8

SHA256
291e3ce789c3d616b24299edf3aee2807242c8ed2134447bd64ef7fa3030eb92

SHA512
60b49a58386283e4b99a3f8a1b85a33ee4930e32f2383e8dc18726159a7d07a70636e7d450d141844625866dbc5a8df7491d5fb4d1ef785c520f0272485d4d9a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
95KB

MD5
2beadbb0bbc8d2c9be6cb8f648cb0a52

SHA1
f5bacc381ec158b7b2db8e0b6a85cd3406d809e7

SHA256
77763f1c6b76ea646944685f2bbc076ba89811350420da4fb0ec14bd23dd79bd

SHA512
1bf0e34250f371bb1c0c19c1e2292a39b841b284e8411b4aa237d26cb66fadd100bae5ac7839d08c306506b03f9a2f746745d3d254d0a0712ea472b4f8922bca

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
95KB

MD5
8af231565ea16c809bd5a25d7ced1a07

SHA1
3e2e8956eb7bdb8e4d2d424ed7eecd999ee86091

SHA256
a1d5690da234d41310218ed64ca44d223a7f3c4d77b7b5fdee4161b73d57302b

SHA512
fed75d27c4f07ae10f2bfae591955818ff3477c4a2604d25aced0c3a600b8f64929b8a64e210aaa8b9b4b3df7bf0de058108eadeb8e7a298bef2603370049563

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
95KB

MD5
756b109203d48cbdc9a7d01561b691c6

SHA1
9885b873396289a5bc62ea60fd2cd497b7d8e6b1

SHA256
3cbf03f150ad7e35b843de0c282b03ecbd290c7e074d3c92824299391344a75d

SHA512
faf1412d903aa5c3a8a68b3f0b166860d0302dd9672fdd634e4efae369429143a2236f13767ab61d74d97b91f09348ba7b5a97244611c18ed7cdf890561af3cc

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
95KB

MD5
32c2d3f3eec3f72927d3c9173420ae08

SHA1
504e4c3d310800634b3f3a53af4e28a4aa0a9a82

SHA256
1e5dcd7932a9e879cf4258806c44167419832780e43e8ed33fe5c0994cf3cc90

SHA512
828fb0a258e947192d4e9df6028dd737f8dc083c37bcce41dba9b680285af76d975704eae6500f398781872193b657a7e08ece72f8c14c17793b2dd3c8ca50d6

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
95KB

MD5
711e19cc097b431e7ebe3af67d7934bb

SHA1
b4286463180860f86ef079f462680b1e7a5b6e62

SHA256
641b40cfd5140a9b920d73ba4017854e4697e510c179685385cf7d22a7cd7a08

SHA512
8140dafd64d6abac8dc841b05ed1f4ca4d24af4477555bc97ed78d67ffb8f6c62968a4e9440cccbbe9c34638cc2cb81d993137b5168986c4aef8f143dcd05136

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
95KB

MD5
fe2a1cf9b6aa7e2681acc2f210d24257

SHA1
0032eea7aaa9b8ccb98ffff4a48583380e746587

SHA256
b1cc35406f5d422aa3c0179a0281e91b694f94efb3fd004209568e7135106bc4

SHA512
7c5591a53d66e8bbef184c10a9f07acc33baf3554b8cc2cde06263e4141fb288cefac9cf4985ae4ca2c24e18458e08dc0844d74ffbda2fdb168cfcf2b9e41bf2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
95KB

MD5
ec1cf27ad18a8745fb57d98f05f111b4

SHA1
afd864c14e8f53be3076273433501bc7418984c6

SHA256
bd083abc84717a71eb51d5f3ad71e44435aea7172553931704f5611eea89f48c

SHA512
f94e51b2baea0ce9869b6f3af8b7b9a83e43dc5a0cd4dbe78e7565be6c88722f20950e54ac43a64d970df49bcef7e2924cd81144e861ca04790daa79c777a422

Download Submit
C:\Windows\SysWOW64\Mkijij32.dll

Filesize
7KB

MD5
1ae4b0a025437a9e150c03810ca944f7

SHA1
debe31d3b3963ad683bbe42b8dc831b581d8d18f

SHA256
34b7c21f4a7123f5f1da84520a77643cb145b95f7e5968a86494fbe85c4df386

SHA512
604c51d12b8472260e0d931c4cd1747d578c5a409b9c18e6390662d0f28a696a5678008fb254571bd3b00f411851629ed7803ad607cd0328dffe6dd52d9a9e2a

Download Submit
memory/344-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/344-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/436-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/436-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2228-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2228-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads