c626a86d4db062201e1ab79c68f894df548bc98fc78e8edd35f76736163779cc

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
Size

199KB
MD5

6a0ad43ce44cab3e4f9bb414652fd7e0
SHA1

2b86568a4fc5d38280baff704b54647cda2fe282
SHA256

c626a86d4db062201e1ab79c68f894df548bc98fc78e8edd35f76736163779cc
SHA512

ce70cd77d15c7a86902eb2d45f90875e2814e1365097f4a399cb3db6794856972816111fbd4cfc1fc5a3d32c5017c75b59680c664e16fc7a92206aefef7b2915
SSDEEP

6144:UACtd8KjSZSCZj81+jq4peBK034YOmFz1h:QwZSCG1+jheBbOmFxh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe

Executes dropped EXE 39 IoCs

pid	Process
3060	Bebblb32.exe
1864	Bcebhoii.exe
1792	Beeoaapl.exe
4516	Bgcknmop.exe
5044	Bnmcjg32.exe
2524	Balpgb32.exe
1528	Bgehcmmm.exe
3712	Bjddphlq.exe
3312	Bmbplc32.exe
2068	Bfkedibe.exe
3724	Bnbmefbg.exe
676	Bapiabak.exe
4920	Bcoenmao.exe
4276	Cmgjgcgo.exe
2236	Chmndlge.exe
3092	Cnffqf32.exe
4460	Cdcoim32.exe
1644	Cfbkeh32.exe
3156	Cjmgfgdf.exe
3596	Cdfkolkf.exe
4608	Cjpckf32.exe
2416	Cmnpgb32.exe
4360	Chcddk32.exe
3132	Cjbpaf32.exe
1312	Cegdnopg.exe
4028	Ddjejl32.exe
4540	Djdmffnn.exe
4192	Dmcibama.exe
2260	Dmefhako.exe
2004	Ddonekbl.exe
2588	Dhkjej32.exe
4440	Dmgbnq32.exe
1868	Ddakjkqi.exe
3324	Dkkcge32.exe
2364	Dmjocp32.exe
920	Deagdn32.exe
1488	Dhocqigp.exe
1064	Dknpmdfc.exe
848	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3316	848	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3060	4496	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe	84
PID 4496 wrote to memory of 3060	4496	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe	84
PID 4496 wrote to memory of 3060	4496	6a0ad43ce44cab3e4f9bb414652fd7e0N.exe	84
PID 3060 wrote to memory of 1864	3060	Bebblb32.exe	85
PID 3060 wrote to memory of 1864	3060	Bebblb32.exe	85
PID 3060 wrote to memory of 1864	3060	Bebblb32.exe	85
PID 1864 wrote to memory of 1792	1864	Bcebhoii.exe	86
PID 1864 wrote to memory of 1792	1864	Bcebhoii.exe	86
PID 1864 wrote to memory of 1792	1864	Bcebhoii.exe	86
PID 1792 wrote to memory of 4516	1792	Beeoaapl.exe	87
PID 1792 wrote to memory of 4516	1792	Beeoaapl.exe	87
PID 1792 wrote to memory of 4516	1792	Beeoaapl.exe	87
PID 4516 wrote to memory of 5044	4516	Bgcknmop.exe	88
PID 4516 wrote to memory of 5044	4516	Bgcknmop.exe	88
PID 4516 wrote to memory of 5044	4516	Bgcknmop.exe	88
PID 5044 wrote to memory of 2524	5044	Bnmcjg32.exe	89
PID 5044 wrote to memory of 2524	5044	Bnmcjg32.exe	89
PID 5044 wrote to memory of 2524	5044	Bnmcjg32.exe	89
PID 2524 wrote to memory of 1528	2524	Balpgb32.exe	91
PID 2524 wrote to memory of 1528	2524	Balpgb32.exe	91
PID 2524 wrote to memory of 1528	2524	Balpgb32.exe	91
PID 1528 wrote to memory of 3712	1528	Bgehcmmm.exe	92
PID 1528 wrote to memory of 3712	1528	Bgehcmmm.exe	92
PID 1528 wrote to memory of 3712	1528	Bgehcmmm.exe	92
PID 3712 wrote to memory of 3312	3712	Bjddphlq.exe	93
PID 3712 wrote to memory of 3312	3712	Bjddphlq.exe	93
PID 3712 wrote to memory of 3312	3712	Bjddphlq.exe	93
PID 3312 wrote to memory of 2068	3312	Bmbplc32.exe	94
PID 3312 wrote to memory of 2068	3312	Bmbplc32.exe	94
PID 3312 wrote to memory of 2068	3312	Bmbplc32.exe	94
PID 2068 wrote to memory of 3724	2068	Bfkedibe.exe	95
PID 2068 wrote to memory of 3724	2068	Bfkedibe.exe	95
PID 2068 wrote to memory of 3724	2068	Bfkedibe.exe	95
PID 3724 wrote to memory of 676	3724	Bnbmefbg.exe	97
PID 3724 wrote to memory of 676	3724	Bnbmefbg.exe	97
PID 3724 wrote to memory of 676	3724	Bnbmefbg.exe	97
PID 676 wrote to memory of 4920	676	Bapiabak.exe	98
PID 676 wrote to memory of 4920	676	Bapiabak.exe	98
PID 676 wrote to memory of 4920	676	Bapiabak.exe	98
PID 4920 wrote to memory of 4276	4920	Bcoenmao.exe	100
PID 4920 wrote to memory of 4276	4920	Bcoenmao.exe	100
PID 4920 wrote to memory of 4276	4920	Bcoenmao.exe	100
PID 4276 wrote to memory of 2236	4276	Cmgjgcgo.exe	101
PID 4276 wrote to memory of 2236	4276	Cmgjgcgo.exe	101
PID 4276 wrote to memory of 2236	4276	Cmgjgcgo.exe	101
PID 2236 wrote to memory of 3092	2236	Chmndlge.exe	102
PID 2236 wrote to memory of 3092	2236	Chmndlge.exe	102
PID 2236 wrote to memory of 3092	2236	Chmndlge.exe	102
PID 3092 wrote to memory of 4460	3092	Cnffqf32.exe	103
PID 3092 wrote to memory of 4460	3092	Cnffqf32.exe	103
PID 3092 wrote to memory of 4460	3092	Cnffqf32.exe	103
PID 4460 wrote to memory of 1644	4460	Cdcoim32.exe	104
PID 4460 wrote to memory of 1644	4460	Cdcoim32.exe	104
PID 4460 wrote to memory of 1644	4460	Cdcoim32.exe	104
PID 1644 wrote to memory of 3156	1644	Cfbkeh32.exe	105
PID 1644 wrote to memory of 3156	1644	Cfbkeh32.exe	105
PID 1644 wrote to memory of 3156	1644	Cfbkeh32.exe	105
PID 3156 wrote to memory of 3596	3156	Cjmgfgdf.exe	106
PID 3156 wrote to memory of 3596	3156	Cjmgfgdf.exe	106
PID 3156 wrote to memory of 3596	3156	Cjmgfgdf.exe	106
PID 3596 wrote to memory of 4608	3596	Cdfkolkf.exe	107
PID 3596 wrote to memory of 4608	3596	Cdfkolkf.exe	107
PID 3596 wrote to memory of 4608	3596	Cdfkolkf.exe	107
PID 4608 wrote to memory of 2416	4608	Cjpckf32.exe	108

C:\Users\Admin\AppData\Local\Temp\6a0ad43ce44cab3e4f9bb414652fd7e0N.exe
"C:\Users\Admin\AppData\Local\Temp\6a0ad43ce44cab3e4f9bb414652fd7e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\Bebblb32.exe
  C:\Windows\system32\Bebblb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Bcebhoii.exe
    C:\Windows\system32\Bcebhoii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\Beeoaapl.exe
      C:\Windows\system32\Beeoaapl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 396
        42⤵
        Program crash
        
        PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 848 -ip 848
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
199KB

MD5
58e9cc02892e521af2184a5edb03960e

SHA1
b6f7d582c92fac0d5fd4257ebf9c4dc1a0286292

SHA256
2cd236079bb0e998982074e38e0577e0c1c0a27d2349b55e4651690b780215f1

SHA512
3becdf28469d5f242ad45cdd83d4a94469fc33526432b55a2d00ab0ee63c36e4da850850f668be5cd4c27d35f3161ee57c15de3830426ab6e6b8b94d8b7d1611

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
199KB

MD5
ff9e52667767cb1da5f8e2cf80ede506

SHA1
1fe59a38ac49cbbe1fdb76de868a7137db62b4e5

SHA256
7ff741f3e69f4a8c506931c052dfca464f064aea55dfe37978b5101065bee599

SHA512
d134064feedfa32e6dc166128e27a8afb9a6c300337ce5dcc51659454b4f2799fdc89b72bec213dc329b81384aeef9e2cef59604a5bce52ff83784bdc3ec1d0a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
199KB

MD5
4bf92e4c859ffa5191194c8358f0f13f

SHA1
9e03f0a2ebc0f831ac100f7f65ccb0da3dd8ff24

SHA256
ea8cda398edd587fafe76e637ac3a25da1a72cd2359e39ba8e673dd61c1f0089

SHA512
f3bd8e1b27bda291c8a50239eb827c4484852a35906c2d544ea9cb2af8825474d9ca3af415fac65336608719768be70bf19fbe0d6c1108d0a48983c5f7366e8b

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
199KB

MD5
7a5ca9e9a9f9a4c7d2690e1cd5933c38

SHA1
ffcd8e66a64820ea56efc41c74882db8cb5d8142

SHA256
80bcc10cc81be085dafb5517cac7303772a03b54b114efd172eeddcc5be56ebd

SHA512
18b8fcfd5fe20071be5581b75a5baed6d2a2d227225a56fe6f171b30f9c0d061781a708cc87439f6349bbf2ec2f3369c237818083ee2a2c04925ecb7db47db85

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
199KB

MD5
7978d5798799d21495cab6ca69e02a84

SHA1
2abf9ee6d6091ccd8db3c56fb647dd356a9156ab

SHA256
c7de22c394ad27781d30bedf3e3e42a9cd6ea08b9ca26186254c1569f1a34a99

SHA512
f6373e00db5d7e86e6185cce8c44345539a2be7fd36b03984f772ccd58c6823ad873fbafbf921e4f45a87deaea1f1ae34c335b7431eb9a578b9e0da0905e803e

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
199KB

MD5
5a73b2744612f656e31e1a76866d13f0

SHA1
191635cc17e2cc1b060d5ba56e31e4d05bb89518

SHA256
a941751e6c208cf8aca394daf0368c4a45ededddf4ddf6a631d6df4e993d7dc5

SHA512
670b18d87dbee3b4aa2c67704171006b29b96a67121352cf5fae8c4652cf39a1f3d66a17e55ff2e930776f454b84f1e3751bc83432312de417253cfc3053d94b

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
199KB

MD5
984aaafdd5a183fc0926aa32e3c03a99

SHA1
e07a9d0c443753b5fd9822379bcc0ae8a02c0759

SHA256
565bc1197c82c8d407a5b51fbdf8b0c72269abbb8152d77c9fe6fe56ef8db9c1

SHA512
1bd26d3bbcbd2b0bd6e67cedbc87ac88070862a7b13596968461fce1d9051c368db6774da40599f86eb0225d239c94c03066e8a40784b05bc01dbf3a99e42d50

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
199KB

MD5
8104d4058f4e89c490e5d0d1077721af

SHA1
081d8c1064442e430a5315beae51cc2998466ba5

SHA256
a828d56e22880cb67340cd9c8d02a210fcb8224afc53341d0d3d8022885c0c73

SHA512
f100eade8e959340f7d04cb55dd3b5a1a7d727fb010de6567dd4679f6afa5ee8cb0d9bea56c6a8ac6fc988ae46a6a2d26686747ff174a80966c54c9f41c06751

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
199KB

MD5
dc968832dfe6b4e3a1f4a5f4964e1497

SHA1
a5e0f7030a4458d2866894722e3bb3d7e7ae2494

SHA256
2eab39e800080f17c08046c6046e9206a74aa075ae1bc842abbee7e3270ecf69

SHA512
8d90a36f4c7077d4e3b0207d0136d9b4b7531cf7c0e4d1f92c994d76cc3d5843986fcb248e82102f92b096d7abc6baadaf2df7ec50466b50c122d28d6673bb1e

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
199KB

MD5
6022056da879b4b4e1222683f3d21b0d

SHA1
6168d2bd4db7814a0845cd04ccfe09e239c05516

SHA256
d720c2fef792c9880e4e8c7e46591139291257521879292182d8480e23a8ccd8

SHA512
96b064a9375c1136a6808eaa757d63b1949106e3feddd42572ab5c8a5879814a260ac6173900754f9cc6110fb61f8bbd7041350cdf8d176aaa567a268eedb163

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
199KB

MD5
bc768252d704798ac2eaa1781b0e3c4d

SHA1
c831780a9f06228d16a7d4b5935b284add070c94

SHA256
9403bd7b94f358a2db9f520a7c40c081d99ab60548f3d4d325a3dc974ff23470

SHA512
3e4a64c009be83a2fbd09e3c4cd531be5efe638f855d30917c710c3947b1bb560d440d3da89dc0553f46d3e512a01d2ae2fd64ca6121f47c7c576239e05d55a8

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
199KB

MD5
724dee13c2d7197cfab8020830fd80d9

SHA1
6c3aa56641633b3ba4455d25d44e6cd3c08a84d1

SHA256
21c36a2e90acd791b200a4262015593e2b6c1da25e6ac7a01e702596df97299e

SHA512
0a143a490264c6c6a2d679355a59b8bb427274861e723b237a0b284b04235ed4fe648368d29c2e817c133106d28c360072369133ca8260826b73e1f999c78562

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
199KB

MD5
c9e2f414a4682d112e2401368c23de22

SHA1
b1e648faecde9c39793f5d4ff81494d0daab85f1

SHA256
51ef6f2a99bdf76117e6d6b2e4b211092c2dfc6b3a69ee77433da31d468028ee

SHA512
85e08e9e08925967548d52217c1ffd9487aa77ff9061212b4470117e40f0e2c6ca73cf8f4816553ac6879015c382213499c1b374a5543e4e1307f9c836a530ed

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
199KB

MD5
3fd3d526d8734ca330901f4d265af94b

SHA1
53d47340fd9bfa82be4979e0cb993bee0186293c

SHA256
ab551376cb6197411d29ca7c9725cc12cd94e8922af4c9abe89247f9c4b7306b

SHA512
5415086a71bdd79fd965e5e26fed8a6885d0e17f1e5676ada7682425153048bde40a014d5ec915f2f40eee0a7fb6cc531b781305f0c891231cc093af4bdad9c7

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
199KB

MD5
3962458a3c9e8699935a677cc6162aee

SHA1
edb3474e3511a0b96cc3b1f305e1db88892ca71c

SHA256
cef0553114ee224cc0ec0d76ed2e65cf2af48070cb06b3221cec9d0e468b650e

SHA512
b5d6d77632f360a2ed0e895c444f86570398f8fde39f98c10984cea04aa2fed60b848683ed030de50749935d982c4cfb3fe91e36755ed22526e07d3bec746911

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
199KB

MD5
806e2bf953163031dccb329effc4067e

SHA1
92077a0b9ff248d52b09b105623420242c364b37

SHA256
26d5392bd6f6af096c250f24b4c428a97bb4ed6d8ac2444ef29640fb1b99d619

SHA512
86c52c5ab04d3b24a87a9f92c50b6a67089ac97541a0eea861e38a0a87519b1ea53e821015f517d8ddaa7592b5ea12a5531003dcea56f6c33b56fedcdb81e50b

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
199KB

MD5
9167a71bfa14c94d7b4586ba3b78f82c

SHA1
bc4d4ee1eb65a0309f10921eeda862d4ff328489

SHA256
896b3b43504e38c93edf1b3616e413188309f859c9c27135fb4eef18f33a44d5

SHA512
496708a69b68445aa3495c7c26c5d862eca986e5234d365bd1009db04e8f3fb2c62747ffb19cbde9c02269d959920078e925240a70c9e26347bd5c224ed64aec

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
199KB

MD5
bd5b148cd222a01df7845dcc7805e71d

SHA1
3f786e83b3c675848b8f2d7703f6dc69f491628d

SHA256
3bbf3060576032a5ec360b3d364af474412f4f845a9e49a34d15c1f6c20c9638

SHA512
04107b34dc0ef541040fb2bb85c888c88a9d0da41d60b6d0373e99d559694604640b1f4d30c5bcd17873200938f34254cbf7280504d74b419bfeb20e2504da30

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
199KB

MD5
308f1249c80765350dc8d6840218ca4e

SHA1
7c26333a3ce8a717db8f920d954b77f61a08b24d

SHA256
ebdc89e4690c23162f98696259870b8185589d5522b274ba57e7331027abaadd

SHA512
14670885eba81ada2e8fce6f73ea12a3adcf638162aac01ea38e1e2dcb57d8fb8c7f8bff37243822c9f5d867b4e86c353bca2fe5b4907be374a77f834ada2131

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
199KB

MD5
c2f388b32d3fbfa8416ddcd9f414c101

SHA1
94ef2f9684f01ad3acf0314b41cc552a64bf9846

SHA256
5b33dcc4719a023ea3cdc435d67194895bfe575cbbfc9241e8ec642389252cd8

SHA512
9ffdf1447de6e451997af8c988e74dec674c8c596928d9e78070cd9b76605370995f477b58bf7f76bc45c34d175686354a0057325768420aba9fbdeebf0d4d4a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
199KB

MD5
963973d2738e3effc1bd09f14c8826c3

SHA1
ba968bf1aaf11145ccb681aaa1bbd361c266a49b

SHA256
d8edbbbf025313473dd2aec5933ee397f1a26ed27d3d01207f3cac104ce66b40

SHA512
34254f44764d0e30ae6e7424b4f9a9971e0b6a9e1c2e9fb45c3e1104f590dd66c41e5e8a4b9e0c3ee81b111d8e68e43d481436fc0f02fede603e7240d1aceff7

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
199KB

MD5
b2b45ce5f18c3c76afa30b544d28a640

SHA1
0838b62211fdc38eef3a5c3f1b038dd16707a9c6

SHA256
460cdc8b9f588ae8629299e6885fc9a4498129c598ba2cff1c9ad15cbbc108c9

SHA512
db599ed0d1da6ec61c008b0550cb8befd7c1d48a541c319c478c9cc05b1522edacfdc49052b1a7e6a9f42714f7bc96ebc663a15f9010b502ccb963c89a75bb7b

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
199KB

MD5
21142944f023de6d0b60859f99b39a4e

SHA1
4c2a4c1d07d53e5630ebe3893b62fa6f71f281b6

SHA256
64c0513eced88a02a338572d6247157ff16c50116491e28ba5ba5159d2f19bd3

SHA512
bb18067668dcf14f040048866d7fa0ffda78bbfb9bca2091201d88ca41a6a55160372eb5a592ec07388a450fb4438729c6f16b4c1564714a7d33eac8101b630d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
199KB

MD5
4813d0d5a39c2fc44b4c68afe5a5a279

SHA1
624ea3c266d71169a08c81ff49fee6e9c5757867

SHA256
4c2526680e5250529b77f06320bb53b1e9108f62aa747d0c93f8b3de84fbafd0

SHA512
7b72e65146c5c2921edcf267b640ed8f976a6d65eb4b06fd36f5094d3fe9929ad2872929fe2612e522b5548d488a193a153adf9ed9f7eb5cc6b89e68ba25542f

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
199KB

MD5
67956d35d85b1db6a97d68901e3f70c7

SHA1
f0958be30851a34ca9a250e8bbccb8d50d26c9cc

SHA256
d0d8ed5c120325b42b37f426f455dc997d3cfb04ed5172e49e6225424d4fbd42

SHA512
834f97b60c7fb088d7251fb47a6326461814bdb1d7d1a03039b8f92abc731bf44b6a1f4407dde3435feccd99d97fb866745574782dcb265dfaa878d0317cf994

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
199KB

MD5
8c124b66b6f24069674fe440c2b795ef

SHA1
8e5fbf18d29161fc10c0f315f32b58284dd191de

SHA256
cefa9045e7426b6916abd352b953b490e5fafb2eb1e57d130858152858d720a1

SHA512
ffe455370fa03f1d01d2a27305085c1f41f47b4ea3dba46e53a845543157e1fd8648d1473263e4a0ea7aa9e5724543b99f384629e4ec50e54f3b24729b3a83c3

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
199KB

MD5
6fd2cca10b6d4637175a38020d33c54c

SHA1
1586a8d07e24ff61f8b8684dd5ac3c92106bfed3

SHA256
bcde86848be212e56b73811b1c8ba4a7fb7766688a6a461adb4907dc0fe28fa1

SHA512
d68bac1868d5e0250a2fbf8cfa656284a8b00243c3de008f09409f82d44e7511fd4012e4464e97e9cd0e157f34d4a2dde94995e326f4476bd54a347b3f558dcd

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
199KB

MD5
2326b3c2209efca907fdaa7f7ce2135d

SHA1
9cbbb4b817ab345e05ac1ffa38d19e8d6ba15d37

SHA256
fe0391ebc4d27ecadb18b5c65712a4ab3d45c04ff002f4764fc5606a28dce64e

SHA512
7ca6c69ce88d90ed01fc81f5160cfe9aaa8e395dd3b60eb6e1816c37ae521361a0f2190604e4b7ccdd35d402ffb0e765c00aff4aaf20e47c77cc26b3e0766718

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
199KB

MD5
b4f1f458780d14fe25bbf03f77003764

SHA1
704af01719132603e1f976d27771364f66d159fa

SHA256
13be5ae39335e26df984110701c5a6f68612c82019a762b5432f35b5c15f9d6e

SHA512
61d3721675c72ac1e547eb707002dc65d62ef168a320976c16cc4543763c1c3ea9ded3a22a8c0c2fa4f38aba3203e0741b58283f232382c1944f89340a089d7f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
199KB

MD5
41071f411c126ab79dead8ea27cee379

SHA1
fa24f2146b3ef1dc2bbfa4a9f84d39ce615c4473

SHA256
d8548c370c7171eb8f63fc4de26ce7c6d1d62299fa5b7442e6181c64fed648e6

SHA512
28b8709323f683b1f35837e41c2b28697812f150217e95f8ccc7f4ae3577a26777f708b60f8e72b50b64771ebbf1940409fcfb1fdc3a00b26c7df9cf5cafab5c

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
199KB

MD5
68515eb67c68aa30bf589f73ebe9d3e7

SHA1
fab04fa5e030fa2b7beb876d629d89684fd91b5f

SHA256
282667050cf744baef26ca4baec1d3858eb51f02ab8edfe346380aa80db9b774

SHA512
565503508c5c7d7f144b25ce06f308d6bcbebc8bf66757c01ed0ce689a5312b2ffe150083ac829b3bc8dd750ca531c10fac13cb6a936f7ba91d4d4739e2dbd1e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
199KB

MD5
98803e82ebf869b2e9bf4c722294b79f

SHA1
eae61f69d7712f831793a48d5ac81dca0b935f34

SHA256
a5c9f07ebe2d666d0e20fe6ea12585256f7bc73393c49246c09b8912d6e02a6c

SHA512
5085c8a15c99479f55bfac63e083e5566ab76d3a2b9757d7f493a984a573d07fcc2c0d97268d835ebaad10640aa885291456e546856bface7a649f6ccdbe04c6

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
199KB

MD5
235d9c3c0aad6007fcb363a59cb67a03

SHA1
28c59691852f601afb53b4ebaaf7f1995961958f

SHA256
713c8f5f1b84b47dd2f947997efcd9b0e1a314c60b1d1572be34430059cf1a9f

SHA512
dae5f24aa787e7f00f01595850028b6d05cec7b74ecbfd85e2a81964b89b4ed2b65880836566a2cfb0f68b80cf04c20462d64cc247324c116cda85476b0c9722

Download Submit
memory/676-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/848-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/848-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1144-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1144-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4516-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads