714217bb2ed0f1428ccbf255690401e2fd5e4f2a20db3869752e37375b44c51e

Analysis

max time kernel
103s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e759d7b276f9943ef49b6d71af7c90N.exe
Size

1.1MB
MD5

a6e759d7b276f9943ef49b6d71af7c90
SHA1

98d0b062f8fa0f06bdda0696c6794a3f897fc262
SHA256

714217bb2ed0f1428ccbf255690401e2fd5e4f2a20db3869752e37375b44c51e
SHA512

587bf8cb38cc3f6cb7613daa0d5be21f270a53e6cc2d9e2310db7e30f10290b55a05b6cb0337bf1251c2f1fe54bb88a8c6c43b5319cdc5582b094046ba2a8d90
SSDEEP

24576:675q6YU0X+Oq50Ge/5orQg5ZmvFimm0HkEyDucEQX:8q6YU0X+Oq50Ge/5GQg5ii0kEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a6e759d7b276f9943ef49b6d71af7c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a6e759d7b276f9943ef49b6d71af7c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe

Executes dropped EXE 42 IoCs

pid	Process
4736	Bnkgeg32.exe
3200	Beeoaapl.exe
2616	Bgcknmop.exe
1096	Bmemac32.exe
4664	Chjaol32.exe
3776	Cjinkg32.exe
1092	Cabfga32.exe
2876	Chmndlge.exe
184	Cnffqf32.exe
984	Ceqnmpfo.exe
3536	Chokikeb.exe
4036	Cjmgfgdf.exe
3592	Cmlcbbcj.exe
4284	Ceckcp32.exe
3244	Chagok32.exe
3020	Cjpckf32.exe
3688	Cajlhqjp.exe
744	Cdhhdlid.exe
4292	Cffdpghg.exe
1564	Cnnlaehj.exe
1000	Calhnpgn.exe
516	Ddjejl32.exe
3088	Dfiafg32.exe
5068	Dopigd32.exe
2260	Danecp32.exe
4860	Ddmaok32.exe
1520	Dhhnpjmh.exe
3100	Djgjlelk.exe
3176	Dmefhako.exe
2788	Daqbip32.exe
1688	Ddonekbl.exe
4452	Dfnjafap.exe
4140	Dodbbdbb.exe
628	Daconoae.exe
1380	Ddakjkqi.exe
2592	Dfpgffpm.exe
3436	Dogogcpo.exe
312	Daekdooc.exe
3888	Dddhpjof.exe
1592	Dgbdlf32.exe
540	Doilmc32.exe
2052	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	a6e759d7b276f9943ef49b6d71af7c90N.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	a6e759d7b276f9943ef49b6d71af7c90N.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	a6e759d7b276f9943ef49b6d71af7c90N.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	2052	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6e759d7b276f9943ef49b6d71af7c90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a6e759d7b276f9943ef49b6d71af7c90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a6e759d7b276f9943ef49b6d71af7c90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4736	4812	a6e759d7b276f9943ef49b6d71af7c90N.exe	84
PID 4812 wrote to memory of 4736	4812	a6e759d7b276f9943ef49b6d71af7c90N.exe	84
PID 4812 wrote to memory of 4736	4812	a6e759d7b276f9943ef49b6d71af7c90N.exe	84
PID 4736 wrote to memory of 3200	4736	Bnkgeg32.exe	85
PID 4736 wrote to memory of 3200	4736	Bnkgeg32.exe	85
PID 4736 wrote to memory of 3200	4736	Bnkgeg32.exe	85
PID 3200 wrote to memory of 2616	3200	Beeoaapl.exe	86
PID 3200 wrote to memory of 2616	3200	Beeoaapl.exe	86
PID 3200 wrote to memory of 2616	3200	Beeoaapl.exe	86
PID 2616 wrote to memory of 1096	2616	Bgcknmop.exe	87
PID 2616 wrote to memory of 1096	2616	Bgcknmop.exe	87
PID 2616 wrote to memory of 1096	2616	Bgcknmop.exe	87
PID 1096 wrote to memory of 4664	1096	Bmemac32.exe	88
PID 1096 wrote to memory of 4664	1096	Bmemac32.exe	88
PID 1096 wrote to memory of 4664	1096	Bmemac32.exe	88
PID 4664 wrote to memory of 3776	4664	Chjaol32.exe	89
PID 4664 wrote to memory of 3776	4664	Chjaol32.exe	89
PID 4664 wrote to memory of 3776	4664	Chjaol32.exe	89
PID 3776 wrote to memory of 1092	3776	Cjinkg32.exe	90
PID 3776 wrote to memory of 1092	3776	Cjinkg32.exe	90
PID 3776 wrote to memory of 1092	3776	Cjinkg32.exe	90
PID 1092 wrote to memory of 2876	1092	Cabfga32.exe	91
PID 1092 wrote to memory of 2876	1092	Cabfga32.exe	91
PID 1092 wrote to memory of 2876	1092	Cabfga32.exe	91
PID 2876 wrote to memory of 184	2876	Chmndlge.exe	92
PID 2876 wrote to memory of 184	2876	Chmndlge.exe	92
PID 2876 wrote to memory of 184	2876	Chmndlge.exe	92
PID 184 wrote to memory of 984	184	Cnffqf32.exe	93
PID 184 wrote to memory of 984	184	Cnffqf32.exe	93
PID 184 wrote to memory of 984	184	Cnffqf32.exe	93
PID 984 wrote to memory of 3536	984	Ceqnmpfo.exe	94
PID 984 wrote to memory of 3536	984	Ceqnmpfo.exe	94
PID 984 wrote to memory of 3536	984	Ceqnmpfo.exe	94
PID 3536 wrote to memory of 4036	3536	Chokikeb.exe	95
PID 3536 wrote to memory of 4036	3536	Chokikeb.exe	95
PID 3536 wrote to memory of 4036	3536	Chokikeb.exe	95
PID 4036 wrote to memory of 3592	4036	Cjmgfgdf.exe	96
PID 4036 wrote to memory of 3592	4036	Cjmgfgdf.exe	96
PID 4036 wrote to memory of 3592	4036	Cjmgfgdf.exe	96
PID 3592 wrote to memory of 4284	3592	Cmlcbbcj.exe	97
PID 3592 wrote to memory of 4284	3592	Cmlcbbcj.exe	97
PID 3592 wrote to memory of 4284	3592	Cmlcbbcj.exe	97
PID 4284 wrote to memory of 3244	4284	Ceckcp32.exe	98
PID 4284 wrote to memory of 3244	4284	Ceckcp32.exe	98
PID 4284 wrote to memory of 3244	4284	Ceckcp32.exe	98
PID 3244 wrote to memory of 3020	3244	Chagok32.exe	99
PID 3244 wrote to memory of 3020	3244	Chagok32.exe	99
PID 3244 wrote to memory of 3020	3244	Chagok32.exe	99
PID 3020 wrote to memory of 3688	3020	Cjpckf32.exe	100
PID 3020 wrote to memory of 3688	3020	Cjpckf32.exe	100
PID 3020 wrote to memory of 3688	3020	Cjpckf32.exe	100
PID 3688 wrote to memory of 744	3688	Cajlhqjp.exe	101
PID 3688 wrote to memory of 744	3688	Cajlhqjp.exe	101
PID 3688 wrote to memory of 744	3688	Cajlhqjp.exe	101
PID 744 wrote to memory of 4292	744	Cdhhdlid.exe	102
PID 744 wrote to memory of 4292	744	Cdhhdlid.exe	102
PID 744 wrote to memory of 4292	744	Cdhhdlid.exe	102
PID 4292 wrote to memory of 1564	4292	Cffdpghg.exe	103
PID 4292 wrote to memory of 1564	4292	Cffdpghg.exe	103
PID 4292 wrote to memory of 1564	4292	Cffdpghg.exe	103
PID 1564 wrote to memory of 1000	1564	Cnnlaehj.exe	104
PID 1564 wrote to memory of 1000	1564	Cnnlaehj.exe	104
PID 1564 wrote to memory of 1000	1564	Cnnlaehj.exe	104
PID 1000 wrote to memory of 516	1000	Calhnpgn.exe	105

C:\Users\Admin\AppData\Local\Temp\a6e759d7b276f9943ef49b6d71af7c90N.exe
"C:\Users\Admin\AppData\Local\Temp\a6e759d7b276f9943ef49b6d71af7c90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\Bnkgeg32.exe
  C:\Windows\system32\Bnkgeg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\Beeoaapl.exe
    C:\Windows\system32\Beeoaapl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\Bgcknmop.exe
      C:\Windows\system32\Bgcknmop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 408
        44⤵
        Program crash
        
        PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2052 -ip 2052
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
1.1MB

MD5
f92da58512f3d227b15a96ae6e3e38d6

SHA1
0a7689c2c3acf02867f3fdd3bc08e2f97c92efc3

SHA256
e39e53e52fca0fc0dd25f4a80720841ac557627a76f179ea3a07bb4542b83df0

SHA512
1523529093abdaae8ac1147fbf4f878ba68bdad371a713214efb9e9da7125d565d2f845e3bf802ff4bb9478c8e7dce700b2c5342eab996106dff6e1e35d7ea15

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
1.1MB

MD5
087c2d5cc9d98502b28f64503b7147d3

SHA1
587f7941f91a9993b94366245ddc6bc697eb8d4b

SHA256
90fa9f838116bef43db26674f13bdac059f9c7316f91e112df42add205ac1326

SHA512
aaccf03e35d43aed67c09f7d5d1aa6e1bec3b593c1aef33ed849cdf505a90d4768dbc8f5e2dbdcfcd45de975135c6f495d5d436df3278d47680a275867c2892e

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
1.1MB

MD5
013cac3ece962842880b8006b98ba294

SHA1
fb1451cd84dfb31b2a2f1c6112b87e46bf55da79

SHA256
c617e200d80cc4ea0afe605dbfcb47d5c8eaf7dc3e81bd3ef153b1461441692d

SHA512
da79873bae604c7f01d44e9e3ead0e24a9ecb461e845e4c38107cc752cb7ded24f523417ffba3cac207d811cc72e06b72dd33a7c3b368f81e7a272f70cd20ff6

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
1.1MB

MD5
1a9033936a1b867556e0fc1427245208

SHA1
e0ce596a4692a0b48cae42ab0543d74e599f088a

SHA256
c2d26fd3373e8213e3a935c9cd3e42f81db7904146f6aaa5ff1a2f2e0fe12bc5

SHA512
b739de690aa7ea8678cb6fde24a959929e813dcfbc474d4d3b43bcd1cd482aca360179da70ad6f37e042abcd69f52616152879b4912a760161af2c3abfeb80b4

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
1.1MB

MD5
aca3ea41412c9e6cc4d5a3638dee1da1

SHA1
676114f48ecb35fb2fe06212071f86e3070dc6a0

SHA256
ad919bb3ba9630fcc5d80cbe974b1f57119be6810ef6b0135140b5a61c7bb934

SHA512
bbf5f72ea0cfaa113d95dbc5045cf1b7e093ba07fcbe50002dc103d0d00926097f801035adec6d79304e08d9d883a9c2c0a1556932c124a37a1ff37241f9371e

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
1.1MB

MD5
999a2044d1e3cdedc6377b09f7d564cd

SHA1
415e55bd0f1d6552ee2e8353f0d404276a92b7d8

SHA256
893e08e01e5635b2a190a928bcd5b4f99203a104997354cfbf30d168adaa3967

SHA512
c33cda84776ff90cc21cb426af2ba418d995a4986953e6a2525d41ffd2855c8b068c3ad4f6524eb7b72203d6550368b8dc720037215550a0968bd3bcfa96e619

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
1.1MB

MD5
d8b78b0a6702e0cc1c9bdba7762d04ea

SHA1
677b6891dc6866ecd977e5c236ca39d06eb5cfb4

SHA256
d843f69684b188cb8dcc4f2bbfd89082e47ef24055aa5b2e10886180df9bcd1f

SHA512
637e27d28faa0c1a716eb857c74bcf0a1d9379de4899d2acf4130a4877c39e1e464546935ad820be988a7a160b5a98836832f485e16bebdeeb40cf138dddedc3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
1.1MB

MD5
0650a59ac384de4995e19db2fccdbfa3

SHA1
77a9c2dbb5683e548cbc95b10df7a72aeb8d9ee9

SHA256
a940c04099e841ee7552f40fd1ca162befdabaf7c712189d37f7773be3ad8424

SHA512
0759530c38b04db69c805b749db8bce6bfdb11fc15bd85350e4d608e8984f314313eab49ee75ee8145f722cf56c741db1291fa9e1dbdaf7458c9e5b90b676b19

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
1.1MB

MD5
728b07c189afc7674fa7ce7db64ba497

SHA1
d403ccb33db5524a5056f98d4921b6e0a4c18af1

SHA256
b13756d8971f1da4d13fd967b09d8ea49c06de4319793ef3e8a6981e76d7a00d

SHA512
3c1ec03f1770aafb274356ecb51d66a4650614421cd38af86a975b46228851dfeeb7ca6d3cea8f48df43058cf1997ffd1c14a395cd1106bd45fe069b27ddb363

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
1.1MB

MD5
ebce47bedd6b36681c3f043052527eee

SHA1
8ae4a38bfdbc170cf653ab5d1478aef99112ecdc

SHA256
905fda912e5b90da420a833a60bf5071fc1677f4b62c828aef501dec6562ef3a

SHA512
5d3f5ca9927478e63efd9006485e9d2a2f069538158cd7df90ae3122b2acd467b79ebc8908d445b1c007cbc6a52997dd487edee41335c6d94babf2e0748edd2b

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
1.1MB

MD5
ecedca321ab58bac03672e7be43b141f

SHA1
b082e08706f372a30e11ea9ab7fa61de4642e08b

SHA256
88d48f1364336de055a734d34d65b215fc06ef524d86875c3590cde3708bb3a2

SHA512
3455e67a0fbdec0bd99e0099ac9dce55509b542691a0bed9182c1686fed11c5c7c7b6e6497fec3e42acd2992bc2132639b3a5280fa1edfe80c47ca412e129045

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
1.1MB

MD5
689be9e6f3becd93ca85405122238856

SHA1
6a890af9918fe07d0cb925fb478532705c4f4ab5

SHA256
e467ba61ffc43994fde81b4e06074d6fad94a71b0dc55814c2f9f1dd652bb7a7

SHA512
7cf5c3813c686a40dcc1cb303ad63c85db6f958f7c263cd0b8933f56458191def2021a2effe01e5c6672fe5feefbbe1ff3427e93f6700f97c5327a0178b31e06

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
1.1MB

MD5
9959e92f52e296d992f4b582c1dca6ba

SHA1
a701f06bcf1cb987912592ef3525e8f2b7d7fd07

SHA256
7b2fe996c7eb302b7f5ffc67157beef688b4f48b029fbe3def47f7f7782a55c4

SHA512
cf0a1c43bebb96ebf85692034ccd4ca2bd034142d352ca7396eb4f3555b26a236421ea9606fc55b871e5f44610d0abf265cbbc367a2789c18eac6ad3ca473801

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
1.1MB

MD5
1f96eb8479b0a38898a64aa68c3cd99c

SHA1
20a2d2af5c8b94b6c3fb19196369b3f8a8fc96c9

SHA256
2a65e8790f9cad22074389b6cc7505253c98703e3aeb837df13aede8777be63d

SHA512
f1bf7b9cbbff3f71fc62bd60624c4bc9d3d03411f6c5c1eb9deb2d82e923889d36b9510e7d6a202902dd8a4f5a74a79ffef33b45eb61e35488d1a9edab72fc99

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
1.1MB

MD5
bfb4e86ca8ce0962b086549d3c3bdc7a

SHA1
17757024cd02dac25e7264a72a6215ea5cb253b7

SHA256
d79c435423ba1cff08b82ef74f5421ab25c7526b4c5db35f61ba3624a15e65c0

SHA512
50c6acb27f2fc058356e7107a9d6b8b6438a6173b912c6cd45b3e8f43725be9658e93f5f6175e0a40100d340b115e14ede43fa48971b04904761aef8fffbfa51

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
1.1MB

MD5
04723660f3a5df6f345428fd66af08d6

SHA1
c61934db6e070a3539ac2aaaa160fcb52978fb22

SHA256
4cc8b829aab133e17a6635ea4f6942e9356b5d81d314b2f180b3d0c1b4a67b0e

SHA512
8fcb7d5b9f09d4d69fef685d2b6fcd51dc75fad3497cdcddeb73b471cb4266694522193ba7230ff35afab59708590a92588a07cd26c80b91dfa73459cca1bd23

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
1.1MB

MD5
adab9b427e23d64e13e981fa00d93aed

SHA1
75ed5fac48151628b64a226342f391be24af77d2

SHA256
e96aa6a6e374ac0309b21469ecbf98f2131deaa372f3bf659eebfe985bccb97c

SHA512
f3e3de37a0cb30d1af007a0bf80bde1480dca6fb0aeddb7df38e59ea672338c93e5bea0615e6fa4d29b701882d1193d03895c6063171ae85faab5d3fcf78ac3e

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
1.1MB

MD5
f9e6ea245247c135324986c39d7a51cc

SHA1
0c79bb11feea67c39a02c16846972dc35d9a2f0d

SHA256
143557915410048b1f02b51a449d0df7ae096f23258d98145442dfefe6a271d7

SHA512
1bba13e70edc7237a74673255ecaef3620de009149439c6408efafb1e5e7606d948c3d883246a6d5b4cf553e1a0a9620f364775616db7ab8030938bfda76c68c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
1.1MB

MD5
82a943cfdb588f4a09b8fec6497a7b8c

SHA1
830f40689259e05928a6464dc0e60dd2a21ed645

SHA256
22a9153cbe7e6dde7a78f92414bea2950c0001bef8e483ab716e57f4291fe09b

SHA512
e6040ed3b882a35a47ce56467de5937f6b34e8958f9cd8fe1311adb5071e4a4177937db6b5756de2bdd715c98813ff475009dd8b62750cbb11678a8115c685b1

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
1.1MB

MD5
6f5e3d5daa4192bf0a83aec99d849e06

SHA1
90848cdeaf8763739f8d133f36e483d3423ac033

SHA256
49fcee79ff0b30cfa94d10aa43291e5b5f8504a1e914a3d9512729f45c8ae3c7

SHA512
262488e3a6b7c76a3c8a5df595c452ec6e95b14e6fa71a5cb5c4d0d759573b95f394a58d908c26f3e7eb5502488cdc9f10c1421f86d07d1cd5bf02163bef1f32

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
1.1MB

MD5
d436ab4c88e59c9f9c1ab5fe24631455

SHA1
a6f617be6da04dbd45ada498c37940bef7cc5ab0

SHA256
6d09f6a15ccb98af4e6a278a4f36ca960bf36c921a0ed7fba9d9101c18367b4a

SHA512
c7f15485ff73d4930fa15909b461473d16bd0cce83482c7f6e6470d81ad40cbcd2793afb35b5047e44536d2b3dce56d78402bb955e9ed6291976433a42c00c95

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
1.1MB

MD5
ca8cc50c8f38ce8db218b776ef4b05d4

SHA1
2ab4b3f4882c76616265fa773b20c462ed2dbeba

SHA256
3b3a1c3c883f86865a5a99a5aabea1c007f89a44c7a151f8ea994d1cdf326593

SHA512
0fb6cc38c2993ee9ccb23880311504fc0557603fae1c61173accdea8095aca89694a1385e422c737ae402535fa838379d243337dbe976fdf7e8406d7b155ab77

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
1.1MB

MD5
a7d49be65b46503c830505e407b416ba

SHA1
dd55ea3d63ae13293c810f4a7b3d99fb5d7a4c27

SHA256
11656f02cf1a9a8b912a21246b68a025d835243da909fcd9889995a8238b6984

SHA512
76e1eba867d6e706c0a3940d2f9dc72637c838df8354fdd06645d5f29e14c16200bf95dfecb08de98b190722fd4585a5dd2a30ab70ac6ead6bc0836088d19fa9

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
1.1MB

MD5
efa0dcdd5ae6f3451f76d663b9d0b46e

SHA1
ded59ed0030bb9cb8840aecf74f47d89847700cb

SHA256
b5e5c7d35434962ef204ac0a72a9550176983d73bd2c5727b2791d96726debde

SHA512
fe1c35df2095e1caee2b712c62e533b6b2a8ac48f26a540c592eba014b6a549248297d0e4bdc8b816b2c7e7593ab4d3f41c98e0a3bb54a8713d84612f96a6869

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
1.1MB

MD5
b5f2091231a675e8a1474eab6a7ecd46

SHA1
69b2d159adc45b297c3708b67ffa9ebf9f3c2e60

SHA256
b6b318981b14181acecf0be72c5197f5d494765aed5c6c92fc61848671b2337e

SHA512
e7bbca182b0e372d2deab0610b3ac6f8775d33d4d1f4ab02c7312a24d78678dc6d8f86d50d57bd5356c9403500103ba8b1596c098a1b4d5bd78bd56c1448bc19

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
1.1MB

MD5
f04aca83ef497af3f6bc7d6d7ead270a

SHA1
b5413d1a05d4fc146b30a5741270f651ca0b2810

SHA256
785526d9dbb204b83cb3c7f900a6a9ad50a217af76c2686c21c346c793582d29

SHA512
a444c25a362adebd8ed984d814711f03c5b8be9152ce34617c11b215e2d5c872a8cf3e50c274f80578ccbe91af6fc1c13fb0547b697d4098244cd2f0ae6dff1c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
1.1MB

MD5
69765d4b0a8fb5c775de3d74e2e26e53

SHA1
1aa318f4dba1d0250b43dcb27668fae9baf6827a

SHA256
9f7bb93ff9dca56c7849b08d0167c6c1fe1f4cf40eaf241dbd6e7950a90a1b33

SHA512
a603908591317b343dc26735d40fbe59ba7dc08bb7f3c48bb94e962d29e720cb70a1e3409f719a29edbfd45e2640f015a3194bdd61d43d0e3aee1f7217944255

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
1.1MB

MD5
543383cea1d371d3bd6cbab56656482c

SHA1
ca5e7aa0f23bef47bb8eadb65caab6af074470c0

SHA256
e98acd366ac3385cbac79e47a5b6299b663778b024eb992dea16f7626dd72b40

SHA512
d86ac084fb686395582ded547d815c1abc369903494f1871b92fcd20ca58cbf246bb0665ffdf88c426268c677b4b8ae61616d8160d6aa35a58d2f6fad5f191f9

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
1.1MB

MD5
d1529ca44fdea9975509b873c732e893

SHA1
be7f1bf40cb2d9f578ae2db84e44cef250f7998a

SHA256
a342980278e9c25374e59c1729bbe4cc558fae0116b713efe2e83abeed996bd7

SHA512
67ba7728517b344d14edf3f8a767f697ec06a4ceeeca3dfc26faa039a55383158ddf95f3904a931a4e57e82ff6d96e955d6bc70ec50f87238aca6c1e9b75b244

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
1.1MB

MD5
89c437ab91b2e24e05bbccf8135f0b54

SHA1
6fd735953cf5f562f99f255463107908fad454fe

SHA256
8a690354ecf6b684c6603f55cbc326952f1b97191ace0e7bcf8fdbf064386fc0

SHA512
78535ca050c377d23b920b2d5c1815dceebc20a10191bd3560042f985f9641edd88a685663f69fcfca617845bf1bcd3395a55f9739da7e6d8f5a71bce1f4d5ad

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
1.1MB

MD5
2c8e4fffb5d6980b951a78440319efdc

SHA1
0a6a633d620dcedb9797c90c676e842133b65d1f

SHA256
7e1a9aca7d8a56d7723e6d56ed9230062e30a56a07663bc4bd07974a8908703e

SHA512
76a6860a5b038daa15c09d8cf14cec27b7857ecef2efa913830653aa87aea89fb7570d97c00818389ca4495ef66aead8065ccf657c3b129a2a3d526089918b0f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
1.1MB

MD5
2eb7e78831e77f2232e97727ff498236

SHA1
e2fe57251b07203fbfc652439508e43aa354d32f

SHA256
0fb114ad64ed1ae5be0aec6a4beda09709405a883c884dd61cbed46ed9f55654

SHA512
a41e0a61f9a63c8b6b3dc79e2f38357875dd294798f60bb8c1c538249a2237f85d0d75b39e3662ed606f1fd066c649b7edc98e8065c9d3731f532977cb5d2f69

Download Submit
C:\Windows\SysWOW64\Jfihel32.dll

Filesize
7KB

MD5
44b478afd338ce6ed8b2bc90040da6c9

SHA1
2d1f01e7e4d46ef43b6337a3662e384d81a74716

SHA256
961f0e7327680bef690301230352902e1d30e7ebfc94e2a9ffecbf37c0180893

SHA512
b607895790e9e3578e98aba2cb700b64de241e7bc8eb6edef038674a154201e9b5a5c5968534d1454cddc58f33b128ef60ef8b87eb7b514a8fd4fa5cf68e4f09

Download Submit
memory/184-315-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/312-312-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/516-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/540-309-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/628-307-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/744-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/984-283-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1000-294-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1092-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1096-317-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1096-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1380-321-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1380-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1520-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1564-293-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1592-310-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1688-304-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2052-308-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2260-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2592-314-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2616-318-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2616-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2788-303-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2876-282-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3020-289-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3088-296-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3100-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3176-302-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3200-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3244-288-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-313-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3536-284-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3592-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3688-290-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3776-49-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3776-316-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3888-311-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4036-285-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4140-306-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4284-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4292-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4452-305-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4664-44-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4736-319-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4736-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4812-320-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4812-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4860-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-297-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads