797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
Size

64KB
MD5

6d7d142d015565b10dd66e2d5fe43157
SHA1

bf0b6ea3fa350b946ea6163facf32efba2c946d1
SHA256

797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9
SHA512

54f678b549ea9a39faf4255533003ed7f95bb7780056fed902adc7f296b06c9979ff182a54d37350fb3d1523301b613f8432136ab96bcfb366632e7f5b374486
SSDEEP

768:yqIJt/qyexdpxzEVLfWYM68EF9Q9S+As316Pk/1H5KXdnhgOPuM1DPf:1IJt/NexV4L+w7F69a86PG2ZuYDPf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe

Executes dropped EXE 41 IoCs

pid	Process
3800	Bnpppgdj.exe
3660	Banllbdn.exe
1000	Bhhdil32.exe
4452	Bjfaeh32.exe
4652	Bmemac32.exe
2108	Bcoenmao.exe
4520	Cfmajipb.exe
2844	Cjinkg32.exe
4904	Cabfga32.exe
752	Chmndlge.exe
1732	Cfpnph32.exe
5056	Cmiflbel.exe
3596	Ceqnmpfo.exe
4524	Chokikeb.exe
4292	Cjmgfgdf.exe
3552	Cagobalc.exe
2896	Cdfkolkf.exe
2500	Cfdhkhjj.exe
1676	Cjpckf32.exe
896	Cajlhqjp.exe
4540	Cdhhdlid.exe
4596	Cnnlaehj.exe
448	Calhnpgn.exe
2624	Ddjejl32.exe
2852	Dfiafg32.exe
4216	Dmcibama.exe
4140	Danecp32.exe
2676	Ddmaok32.exe
1604	Djgjlelk.exe
4016	Dmefhako.exe
1148	Delnin32.exe
3360	Dhkjej32.exe
4768	Dkifae32.exe
1556	Daconoae.exe
4208	Deokon32.exe
5016	Dfpgffpm.exe
4744	Dogogcpo.exe
4020	Deagdn32.exe
5076	Dhocqigp.exe
2812	Doilmc32.exe
3504	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	3504	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3800	4516	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe	84
PID 4516 wrote to memory of 3800	4516	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe	84
PID 4516 wrote to memory of 3800	4516	797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe	84
PID 3800 wrote to memory of 3660	3800	Bnpppgdj.exe	85
PID 3800 wrote to memory of 3660	3800	Bnpppgdj.exe	85
PID 3800 wrote to memory of 3660	3800	Bnpppgdj.exe	85
PID 3660 wrote to memory of 1000	3660	Banllbdn.exe	86
PID 3660 wrote to memory of 1000	3660	Banllbdn.exe	86
PID 3660 wrote to memory of 1000	3660	Banllbdn.exe	86
PID 1000 wrote to memory of 4452	1000	Bhhdil32.exe	87
PID 1000 wrote to memory of 4452	1000	Bhhdil32.exe	87
PID 1000 wrote to memory of 4452	1000	Bhhdil32.exe	87
PID 4452 wrote to memory of 4652	4452	Bjfaeh32.exe	88
PID 4452 wrote to memory of 4652	4452	Bjfaeh32.exe	88
PID 4452 wrote to memory of 4652	4452	Bjfaeh32.exe	88
PID 4652 wrote to memory of 2108	4652	Bmemac32.exe	89
PID 4652 wrote to memory of 2108	4652	Bmemac32.exe	89
PID 4652 wrote to memory of 2108	4652	Bmemac32.exe	89
PID 2108 wrote to memory of 4520	2108	Bcoenmao.exe	90
PID 2108 wrote to memory of 4520	2108	Bcoenmao.exe	90
PID 2108 wrote to memory of 4520	2108	Bcoenmao.exe	90
PID 4520 wrote to memory of 2844	4520	Cfmajipb.exe	91
PID 4520 wrote to memory of 2844	4520	Cfmajipb.exe	91
PID 4520 wrote to memory of 2844	4520	Cfmajipb.exe	91
PID 2844 wrote to memory of 4904	2844	Cjinkg32.exe	92
PID 2844 wrote to memory of 4904	2844	Cjinkg32.exe	92
PID 2844 wrote to memory of 4904	2844	Cjinkg32.exe	92
PID 4904 wrote to memory of 752	4904	Cabfga32.exe	93
PID 4904 wrote to memory of 752	4904	Cabfga32.exe	93
PID 4904 wrote to memory of 752	4904	Cabfga32.exe	93
PID 752 wrote to memory of 1732	752	Chmndlge.exe	94
PID 752 wrote to memory of 1732	752	Chmndlge.exe	94
PID 752 wrote to memory of 1732	752	Chmndlge.exe	94
PID 1732 wrote to memory of 5056	1732	Cfpnph32.exe	95
PID 1732 wrote to memory of 5056	1732	Cfpnph32.exe	95
PID 1732 wrote to memory of 5056	1732	Cfpnph32.exe	95
PID 5056 wrote to memory of 3596	5056	Cmiflbel.exe	96
PID 5056 wrote to memory of 3596	5056	Cmiflbel.exe	96
PID 5056 wrote to memory of 3596	5056	Cmiflbel.exe	96
PID 3596 wrote to memory of 4524	3596	Ceqnmpfo.exe	97
PID 3596 wrote to memory of 4524	3596	Ceqnmpfo.exe	97
PID 3596 wrote to memory of 4524	3596	Ceqnmpfo.exe	97
PID 4524 wrote to memory of 4292	4524	Chokikeb.exe	98
PID 4524 wrote to memory of 4292	4524	Chokikeb.exe	98
PID 4524 wrote to memory of 4292	4524	Chokikeb.exe	98
PID 4292 wrote to memory of 3552	4292	Cjmgfgdf.exe	99
PID 4292 wrote to memory of 3552	4292	Cjmgfgdf.exe	99
PID 4292 wrote to memory of 3552	4292	Cjmgfgdf.exe	99
PID 3552 wrote to memory of 2896	3552	Cagobalc.exe	100
PID 3552 wrote to memory of 2896	3552	Cagobalc.exe	100
PID 3552 wrote to memory of 2896	3552	Cagobalc.exe	100
PID 2896 wrote to memory of 2500	2896	Cdfkolkf.exe	101
PID 2896 wrote to memory of 2500	2896	Cdfkolkf.exe	101
PID 2896 wrote to memory of 2500	2896	Cdfkolkf.exe	101
PID 2500 wrote to memory of 1676	2500	Cfdhkhjj.exe	102
PID 2500 wrote to memory of 1676	2500	Cfdhkhjj.exe	102
PID 2500 wrote to memory of 1676	2500	Cfdhkhjj.exe	102
PID 1676 wrote to memory of 896	1676	Cjpckf32.exe	104
PID 1676 wrote to memory of 896	1676	Cjpckf32.exe	104
PID 1676 wrote to memory of 896	1676	Cjpckf32.exe	104
PID 896 wrote to memory of 4540	896	Cajlhqjp.exe	105
PID 896 wrote to memory of 4540	896	Cajlhqjp.exe	105
PID 896 wrote to memory of 4540	896	Cajlhqjp.exe	105
PID 4540 wrote to memory of 4596	4540	Cdhhdlid.exe	106

C:\Users\Admin\AppData\Local\Temp\797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe
"C:\Users\Admin\AppData\Local\Temp\797fcd2dff5989542bc613975c49651d32103a5097af6ca99ceaf3f5af70e5d9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\Bnpppgdj.exe
  C:\Windows\system32\Bnpppgdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\Banllbdn.exe
    C:\Windows\system32\Banllbdn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\SysWOW64\Bhhdil32.exe
      C:\Windows\system32\Bhhdil32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 396
        43⤵
        Program crash
        
        PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3504 -ip 3504
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
64KB

MD5
b20152e284a7b5ece70d5459992b7585

SHA1
19e5e102afeb7acea6ced2ac7f0e864ef35c09dd

SHA256
134d33ffdb2f6f78974973f7cdd26181780a35bc92fd7bb79e94f4ed631509a7

SHA512
ba26c3a7f79538b8adb1542b34daa24528a5f25853a8f1f304a0117c62bb2cb54260959168641905dab3c1f10153b575c77b017d332706da82b1d285e4f44651

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
a7c3492de71d0bf322d42a9abc21fd3f

SHA1
f1928c9abd4a0d018eb6a18256bde6bec7493c9b

SHA256
040962c3ee4368af59c2342d2f9c71136a12664949c054501cb92b0d5906e427

SHA512
47631f71ca716b5e0996a3c4d5faa5e8133acc3f56490a384c1a1ede101351fcd19c16927b0c96e1383034c61faa21dea9bda069cbe474af561c1a581710984e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
5b5e1d671a452b011907b7dfe0924f3e

SHA1
247d785458c4a1ea7099aea5eec40f91ef46b206

SHA256
d1ec77379d832539876f8165ec010c60100fc0f0fb6908de1dd4fe81587b18f8

SHA512
16e9eb20f696c2df92f3462bf2c586cc33f222f383c02bb3ee1a3cd735da50c337cf6965bae5f5766b6ef8a25737ce79d12bcba1e405e84f6e67958cb7d9ffc4

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
2d67e8d0b488e25b46b61aa6d8ecbc2a

SHA1
53003a7c637db14256c29a80294d3b0a04c354d0

SHA256
7821a57d123a0d934e8fdf3446e1026432b67682c6507de9b2def4f5c73c0a33

SHA512
d23163e7ad1f1e7efea0ddae48d31919c2c6b3d723288a8ff6b71d962a4da6f0fc5cd26c23ab3906c98082d126092aa687f11855daedc47d6ecf488bb856f0fe

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
9ebf41e031547423f74b8719c3056735

SHA1
cea7668f6b6a7bb04ad859a489472290d5619d28

SHA256
6716d0690a46977eda2b0d508234baec4de8d42c73c45703c5bcf2535a376f59

SHA512
337da835dd7593c4d2cbc8ec6c3e109324e0285f792eff77469833b62bb413246a85a0752a4a806f365e0db2f61b0492f624bfe358073df1f74f8417d8cad480

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
64KB

MD5
6bd184433ce26b3464462e0e6f77bb38

SHA1
7d92ee45806d5654704e4947757f0839eb1a2010

SHA256
9e1c79058a0aea23c2a9802af5101c5bd83579f40cf9e6a180df517e0c51a40e

SHA512
7f428c7cc6482e3a2b961bb801d7bc5ef772e4301277533cb9be1f1f60b2e9f4b718159f48b7e7189d21393fb961f8b96dc02664796fda90e10f0e580cb63403

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
ec32dbece91f157ef7d503dbf710da5d

SHA1
5e46e78bca82ad024b9bc08a9db67845e617f8d0

SHA256
54741a31e6494b6b7fd278eab260ad70a66d76c284c6aeb7bb8d3f0be912199f

SHA512
40ce33457518438b78df4a2b8a4714a31276a1c3e9c0ce0ad75a2486c0bee5c5c943d91e318ce2f2892e3d872abd50c4b945f39d29f0ca77368d70073a5ca0d7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
acc7390525f34b522419abd2dabc22b9

SHA1
5800430061142f264d6026e40a82b098d7a26c9e

SHA256
d5ddae3210e7e5c205aafb763fed41a48ee768ee04f7d28c4c02725929c7eded

SHA512
6a51551fc7e3b8d5f816af2f13eb357134c8cbf55ab1b5877030da42ada6206791d4c6898da91b401accfeb7337c25de21fb9f966672bbb06b2a06eb42f045ab

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
ec361cd7cbd9b8c9b405084a815396ed

SHA1
22d8daec50d19eb8f01bb7bd92d56640eeabe1c7

SHA256
cdf697cd698c2157110a8445c30707a07ae9fd5a6b7c543dc33cfdc4450b0aed

SHA512
c1b1bc2d2e63f8483b4d986abb55a58d8ac1caae681f8c3f3cf50e6a481e113811f5f9c4283f8542fe06515b9ff732582635618a5f544573707652963b857998

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
4c0bfdc0d216ddcb66ca20ea8c44d38d

SHA1
2d8b78e8262aa6df970ef05bd96c8e8c55f98f9d

SHA256
595d04f7a6f6c8f0644620cf8f9d3de8390b5a32342f3565dcfb90442d6aa7e2

SHA512
115faa4acea64a79ceb50b58248f3f1206e61b1af650504e98b5a3ce9953e17f17bff83634078a9da152634feeadefbe6b938f5b97734ae4a958f0d8db52154d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
9fe461162eb2762893b4f9691bc76b37

SHA1
ed1088845616ad29bd837bd39cced8b5b8382819

SHA256
3d767b35f27bf9a395121568bf2302e7c309db367be172d66bde8604bc7d0f0d

SHA512
afbf4d733dbe59ffac74a64ae341de4e9aa2c61eb7f053c9fc311a32adc763eed25f6427fd70e4c4e253bf1f1d25caffa8b5373746a82f62cab47b766632ca2e

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
c2434ba91915de318966aea40d9032bb

SHA1
67130768e95c993b999d7a73aee75ea3604f3f14

SHA256
e24b7b2e9350be233d48e9aca1e4c42c30ef3548a9d70f9c281bcf652f28fc64

SHA512
e0f3d994cb1e74f9b357b0ca1bda067c2eb80f83325757ed657e043aae9ec9efcce847aeba77b471374473fc52f6949afe6ffda371fa685ac9791f68f9803631

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
64KB

MD5
ace4ddd9cde185b9812bc5768a70f0fb

SHA1
030ff7eb89fe30d498621966dff48a1245c93adc

SHA256
58bddaa4359c8fd58f2548c1374d25b3d240961ffa51693bda56ac8372170eb1

SHA512
508af1202a277333a81085a7da84e77b7506b39947dbe1fd663e81b83ba81428e5d51f34b0bddbf3481bdc0a6187522b43997a90fb7ffa7aabc469129f253b23

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
40938debc7918fc7855521050b06c3a6

SHA1
30065195f86c49d2ba95be2dc9eb5bafba5f8d83

SHA256
d5c339efd098b83434a1656a093c3c6a2fbebc6129582570c902bdf7c8443c21

SHA512
20f68f8071f035c7a5aab997051645f3c85516886e88a2d02e5725ef211f93e22db893a2758f975e095a764f777c912a2a0f5b8a3910e822ca7c75507f883112

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
5eedc455639b0f7b4911b242cf856127

SHA1
fda1052115fc2287d6329a4b2bf6bbae4c72f4c9

SHA256
8bb4350130c176ddb38be75ba144f27cf3c757cff65f2e0360e7abf29e4814ea

SHA512
7ad788d8b4db4d2af42547caf7d78e943d99b358363a10d41337e904d44cf1b369a5acb44f0563cb9f97c31a1d8fd53d97ad893fe257693763b0c31419b6d5d7

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
6a5d71a988e525c6a35a4b5c4f37c5b3

SHA1
8db69f899d63c8f4988c636f00a6fefe50ae35a3

SHA256
3f6b0adfc6259008f1ddf9c7ded3b29e1b3fc0b09c48b4c251acda1911fae709

SHA512
973c886091af61c2f3f9f93ee20a5ba5757df86daf1bc0e2ffe01167955d8e8281c1f3af1da78c3c31653fe80840fcc970179353ef303b51a96c46bf3fde0481

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
9eceacf66be01232fb207d1b40dcb4e3

SHA1
81fdcb4ca7e6b0ae9571771bf72215d37db9284c

SHA256
d0a89e8c1a5b8f5a5296684a98929ab426b436e112130d2ca20f204420f07b15

SHA512
b1e49a0940a917a7e668ac771c89076badde1cb654e37bcfe15a0d78d8b327b27de39952dc46fa78c798e283ba8fe2c80724491219a7953c737f341fc7b3ed13

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
160572ecb66acb5ae063e8f4dba8f77b

SHA1
1331d5b6be15283b22c5d579e6ac7680b1d9a59a

SHA256
547ab1642f126003e07282eb82ed123737e0966778491c113f28f8eed2350238

SHA512
7a8e0c654fb779166dd677938d4a2308537af9b5b81c66647b5759c4824bf9da9a3c089b73c56762ba046d59d1041252f2ef74b46682374f177dae68ac25b25b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
97592b9fc72eff36de61aa32368ec01c

SHA1
6bca65f16c9e051695fce47e8364945ba2821c1c

SHA256
778c89b99adb0fe6df6a23044c9af529132e1806a7d13d145c5115c107c55096

SHA512
2aa257830997adff57c7a67889b4989ae9c64f1d55a803e1ee9e3ce7bc65875842de831285e9fb6464796b713df3b04d098d1fa45c32b48b8e4a241c5aabd346

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
ab0b76cd5ec74f8e9b377791d8d6ab4a

SHA1
8768508f0d0a82adf221df3b52852a810e36e13c

SHA256
ff4b3726e72de2fbc131af81e39678a31ca8a1725aa7fc111f4c0a2838daca99

SHA512
69450d49e052acead4a5d4b698ed34f8415ae8144330c80cabae642443148a336ea927d6219842f32f25d4ad33fbb5fd786461c3501608413f05a32ad0c3914f

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
94eb24443f514c3f6710d503103d90e3

SHA1
02776a804d31d1f209d8ea654b0e58fb180f0f09

SHA256
a697082ed1b68f86d1f4237187468fab09c71dcd4af60e4b7b80cff9427dec98

SHA512
b587b08cc310046b1390c7acfffb9fa365a465bec57faacd5b1ff31c639b7d1d64ef9e675b18576d052a7f30506b0193d4a6a24a394af688ed85ddfb5d52a272

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
a500fb132a13c0fe2dbf5a538e1cd1cd

SHA1
790594fe580a01d9c7a1c0cbfae9bb3bc99b2d64

SHA256
543cc91e00576c90a25df3ad4535004dc5291d21791df7077c7e045e61c5fe0b

SHA512
0811139eb3587056b364de10345596c56c3cfcbec952aaafd5fd55e04cb9f4b9b6fe2e362fdaf5d5f17cf97d8e38d665915620716a8e37aa9c4a63ad7f01a5f2

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
9b7aa3a0c86d36350cad0e38902a85f9

SHA1
148346dd7797bd771ecd64b9411831057fb7a555

SHA256
06d419bde2e6502fb8a59b222e127e41779b72c6434773e91e2685f6b238714a

SHA512
3d1c64c5b2b6d1dc59af40e9f0ae9dafe59aa7a3caca8fa5f9aa5cbff4affec650b62e26c7aeb421e84a9b78239a77cc3c3843298fd5c1ce58013b2850820a65

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
3aa5e796a3807af50fc5293c7a72d09f

SHA1
a208c4c4732503309c2bdfcbb363c067b02f3071

SHA256
6f3c0ab6fab9259d305ed4627c9fde3f9511fb2111988b13fd46b2070d7e2fd5

SHA512
f00185073a495c4d5f86dcd1c30d2b2e6d947c6f5e9880c8379a2e60a203ef310d9765f66292874b3099ea7f6761aab8c830d6aeb8447c705231528455a3372e

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
6994e3b73ce9665284107343a87c614f

SHA1
c3601f2d1d1ff0355269f674d9c929fb4a457b43

SHA256
b1705efd1b9dd1a065da44b91262adb14c4a45e50ba676ced2013a70b8e254a0

SHA512
b16232d444f2c5a0bec7959469ad65ae982b60094db90cc70b9edefd71df389f58bfadaeac1dded9e2470567417189c3f23349f8bf207de23b89dddb3013efea

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
2d36022d4c4ef783e75f28e952aae324

SHA1
7e11b161daa0e2639b047fdf27378aee52dc679c

SHA256
84c4577f74bab6fd7c9dee771ecc4545d801e54859594825d3c689a92e1943b9

SHA512
512dfd7ef68a944adf44d00694857a04182be288f1d33e2e4616d93aef5e79ed62f89e2d9b672d5ceba83aa7eb44c7ae4ba74d12697aee80f4be7b1aacbf933f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
4df2021810e28211640c1e11262b7bf2

SHA1
6bcc3669e5e417f9819911617ba5659a49a3d2f0

SHA256
e7a9fee4c01ba4199e01c9709b873e4b15536442ef74a7a472b534f52bcc1466

SHA512
81c01dd7b63549663068571a46a81793f83544e761d3487dc8b50d901c011cf628d47de24f6a3181b40272988ddf174adacd07812121adba3353419ec3f68bc6

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
e8bff6e0a04f8168c5d4533185cb6d74

SHA1
4d03869a47030f46b5e93f9be0a10ca842ec690b

SHA256
15e312cfbbeda5b934f83b0e4950050af07479468e2d4b1342594090f7ed0422

SHA512
3000e95fcf38c8ca64525ddf226b530e81103e6e5eb9afd95496a644cd50b5e05a50fd767600a5b28578d0da43d5490bf08d7d91236c3956f8caf6d9a6ec98a9

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
1611674c034097d74c4efc78dd8fe26a

SHA1
9149d9f35ba0cbd978ed685c5f5de469460a2b26

SHA256
c36d960a4fa181347eb4a826760ca84eb731059772f1df81d7ac42c4821b26a1

SHA512
84eae092eae49bff4220e0d9c0e084dcc9d0e3d07c1772d4d352dacb8df88e085de82032606628fed95d8959479a84653b1ea80c1d7beffe0e9ba53e96894909

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
f854af6d97aef5c4d330f1dabca2997f

SHA1
d29af020123d2b39438fcf50b9d7df7e49a9b2f1

SHA256
81a3acb0138c64ac314dd9a464c43b016dbc8b8713e8e84705297ba7b5b36dc8

SHA512
7f6acc374933559ffabdf11182b71ffbacd576ca7b08b6f665d0e7e3f01100c201a7febf2f2ac9b06015923d05ef3ea47ef3dd8bf2a6949d60294cbcb9c657e6

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
352125e152c46bb1d88f39c852d93cce

SHA1
becdb8cbed48ea987b6d6cb20790bd8ddbc0fb18

SHA256
4a865a11160937d0c56a5757aef7aeebb57127d109a037bdfc47bb6dd61f27e7

SHA512
bd89743eb8e36ffc9d20c5a471491385f10b2d04a78f8a1266d71a93218496fd9c9d1e1853d79326023147a98a1064d650b7cf65c830058d107c7900edbe9aa8

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
334ee856c8b2f8ed9dfc07a628b51c95

SHA1
6a70c2743966c1bfd26402c48f59ad0919240235

SHA256
31bcb02c91b5bcd927e28b22a7a24ce3349908a935b51fc7cb33305d17fd0b2a

SHA512
c4c122d8a6df6365aee316a3a8ae0188d00817c621b567e89a04a108bf8b8495995826e08b239f3a50c5e40eaf846718869b10713e73f66b12cb24f994315d08

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
3651311c93b8826836a824f7dcdcc658

SHA1
f93f43940f281f23d3ad1033d3fbf4ca19be5324

SHA256
cbbdf0368a91fb289545f3fcbf7f73620ce24b15579a7614f6153a59fd63396c

SHA512
b4ff6c2d150a1287ebcc3ecfdae6a9ca9ab8f47c8dafa37e508a1bf7298bd418f219e50c75d6f69af5c9e93658931a1710a8f8ca5335e1a71c229aefa940fd87

Download Submit
memory/448-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4516-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads