ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7

Analysis

max time kernel
131s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Size

80KB
MD5

422c93b3ca209aaac797dece06b890c6
SHA1

5882c9401f0ada5af550af4a93965dfdc130683b
SHA256

ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7
SHA512

0c0b7adec524f50291d789f012796220a7ac22ee39641f94e90fa2aea60e8d9698a56ff95afe5a0467e87dc022704fc5f947785a2c77d668a6b0db54c47f9aa2
SSDEEP

1536:bE3EPonB4AFLWEeyUGvaU22LrPJ9VqDlzVxyh+CbxMa:GGAFLWE1vaYjJ9IDlRxyhTb7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe

Executes dropped EXE 40 IoCs

pid	Process
1640	Bjddphlq.exe
4596	Bmbplc32.exe
4796	Beihma32.exe
4560	Bhhdil32.exe
324	Bnbmefbg.exe
748	Bmemac32.exe
3580	Belebq32.exe
2036	Cfmajipb.exe
3952	Cndikf32.exe
1948	Cenahpha.exe
3264	Chmndlge.exe
828	Cjkjpgfi.exe
232	Cmiflbel.exe
4696	Cdcoim32.exe
1672	Cfbkeh32.exe
4344	Cnicfe32.exe
3236	Cagobalc.exe
1192	Cdfkolkf.exe
1396	Cfdhkhjj.exe
4860	Cjpckf32.exe
2888	Cajlhqjp.exe
1280	Chcddk32.exe
2732	Cnnlaehj.exe
4708	Cegdnopg.exe
4768	Dfiafg32.exe
1320	Dopigd32.exe
1356	Dejacond.exe
4156	Dhhnpjmh.exe
1448	Djgjlelk.exe
2160	Daqbip32.exe
896	Ddonekbl.exe
4612	Dkifae32.exe
4944	Dmgbnq32.exe
4368	Deokon32.exe
2352	Dhmgki32.exe
3124	Dogogcpo.exe
4880	Dmjocp32.exe
848	Daekdooc.exe
3532	Dknpmdfc.exe
4868	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	4868	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1640	3732	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	84
PID 3732 wrote to memory of 1640	3732	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	84
PID 3732 wrote to memory of 1640	3732	ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe	84
PID 1640 wrote to memory of 4596	1640	Bjddphlq.exe	85
PID 1640 wrote to memory of 4596	1640	Bjddphlq.exe	85
PID 1640 wrote to memory of 4596	1640	Bjddphlq.exe	85
PID 4596 wrote to memory of 4796	4596	Bmbplc32.exe	86
PID 4596 wrote to memory of 4796	4596	Bmbplc32.exe	86
PID 4596 wrote to memory of 4796	4596	Bmbplc32.exe	86
PID 4796 wrote to memory of 4560	4796	Beihma32.exe	87
PID 4796 wrote to memory of 4560	4796	Beihma32.exe	87
PID 4796 wrote to memory of 4560	4796	Beihma32.exe	87
PID 4560 wrote to memory of 324	4560	Bhhdil32.exe	88
PID 4560 wrote to memory of 324	4560	Bhhdil32.exe	88
PID 4560 wrote to memory of 324	4560	Bhhdil32.exe	88
PID 324 wrote to memory of 748	324	Bnbmefbg.exe	89
PID 324 wrote to memory of 748	324	Bnbmefbg.exe	89
PID 324 wrote to memory of 748	324	Bnbmefbg.exe	89
PID 748 wrote to memory of 3580	748	Bmemac32.exe	90
PID 748 wrote to memory of 3580	748	Bmemac32.exe	90
PID 748 wrote to memory of 3580	748	Bmemac32.exe	90
PID 3580 wrote to memory of 2036	3580	Belebq32.exe	91
PID 3580 wrote to memory of 2036	3580	Belebq32.exe	91
PID 3580 wrote to memory of 2036	3580	Belebq32.exe	91
PID 2036 wrote to memory of 3952	2036	Cfmajipb.exe	92
PID 2036 wrote to memory of 3952	2036	Cfmajipb.exe	92
PID 2036 wrote to memory of 3952	2036	Cfmajipb.exe	92
PID 3952 wrote to memory of 1948	3952	Cndikf32.exe	93
PID 3952 wrote to memory of 1948	3952	Cndikf32.exe	93
PID 3952 wrote to memory of 1948	3952	Cndikf32.exe	93
PID 1948 wrote to memory of 3264	1948	Cenahpha.exe	94
PID 1948 wrote to memory of 3264	1948	Cenahpha.exe	94
PID 1948 wrote to memory of 3264	1948	Cenahpha.exe	94
PID 3264 wrote to memory of 828	3264	Chmndlge.exe	95
PID 3264 wrote to memory of 828	3264	Chmndlge.exe	95
PID 3264 wrote to memory of 828	3264	Chmndlge.exe	95
PID 828 wrote to memory of 232	828	Cjkjpgfi.exe	96
PID 828 wrote to memory of 232	828	Cjkjpgfi.exe	96
PID 828 wrote to memory of 232	828	Cjkjpgfi.exe	96
PID 232 wrote to memory of 4696	232	Cmiflbel.exe	97
PID 232 wrote to memory of 4696	232	Cmiflbel.exe	97
PID 232 wrote to memory of 4696	232	Cmiflbel.exe	97
PID 4696 wrote to memory of 1672	4696	Cdcoim32.exe	98
PID 4696 wrote to memory of 1672	4696	Cdcoim32.exe	98
PID 4696 wrote to memory of 1672	4696	Cdcoim32.exe	98
PID 1672 wrote to memory of 4344	1672	Cfbkeh32.exe	99
PID 1672 wrote to memory of 4344	1672	Cfbkeh32.exe	99
PID 1672 wrote to memory of 4344	1672	Cfbkeh32.exe	99
PID 4344 wrote to memory of 3236	4344	Cnicfe32.exe	100
PID 4344 wrote to memory of 3236	4344	Cnicfe32.exe	100
PID 4344 wrote to memory of 3236	4344	Cnicfe32.exe	100
PID 3236 wrote to memory of 1192	3236	Cagobalc.exe	101
PID 3236 wrote to memory of 1192	3236	Cagobalc.exe	101
PID 3236 wrote to memory of 1192	3236	Cagobalc.exe	101
PID 1192 wrote to memory of 1396	1192	Cdfkolkf.exe	102
PID 1192 wrote to memory of 1396	1192	Cdfkolkf.exe	102
PID 1192 wrote to memory of 1396	1192	Cdfkolkf.exe	102
PID 1396 wrote to memory of 4860	1396	Cfdhkhjj.exe	104
PID 1396 wrote to memory of 4860	1396	Cfdhkhjj.exe	104
PID 1396 wrote to memory of 4860	1396	Cfdhkhjj.exe	104
PID 4860 wrote to memory of 2888	4860	Cjpckf32.exe	105
PID 4860 wrote to memory of 2888	4860	Cjpckf32.exe	105
PID 4860 wrote to memory of 2888	4860	Cjpckf32.exe	105
PID 2888 wrote to memory of 1280	2888	Cajlhqjp.exe	106

C:\Users\Admin\AppData\Local\Temp\ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe
"C:\Users\Admin\AppData\Local\Temp\ea00d10a21f6e1bc19593c22104a1038d962569c19f6125f86fdd85860e61ab7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\SysWOW64\Bjddphlq.exe
  C:\Windows\system32\Bjddphlq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\Bmbplc32.exe
    C:\Windows\system32\Bmbplc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Beihma32.exe
      C:\Windows\system32\Beihma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 396
        42⤵
        Program crash
        
        PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4868 -ip 4868
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
80KB

MD5
240d06f13a5c77a4febf3c5e9506a18e

SHA1
4bdffee1a83db3961c156f71f186830ec62a9d61

SHA256
b0ea0e6bcb6d3bafd280787c2344032689617feb75c67da6f3de1de1d76af849

SHA512
5d35ceb9118471b87f03c9afeb8c04ace2d85e6e541088b970924f32e5c2f2916f2daadaec193b1b1dea99dfc8912d1bdbf569e7350f61485d347036f36f7b8f

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
80KB

MD5
e78db1b121d2d35842ff3b13c3c21a1a

SHA1
b50b5897b3a0f997bbab2d05898e5a6e2c249d29

SHA256
476401bb2c5848b1579181183cb45684d8d66069cacefaf2e3e91aa0a0061a9c

SHA512
65b2075951fdef65ca79be0a20d9cf601d5985ffdca988973c261635b352d4ea4cbc758c9a07f22a2b478cc8086dde747786846c25d18cbcdee4bfed7d909041

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
80KB

MD5
9d5af669e8af374bf74f2336e2324057

SHA1
164c468553a3ef4519b9614aec54adc99d9b7f99

SHA256
0cb27b167226a5e634847bc52349e73b38060f2f550305d9b641cc5654ef9f5c

SHA512
ae5cc984cfc0da71ff252c75bb2a52b4ff92b7962cbbc7e859b569804211170cdc88e0ba6782eef3df45956feed441faeb27663b44be9b6d56874cd077d80cc0

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
80KB

MD5
da60d05d029a0d9fbffd42d81ff5a663

SHA1
a1c0df04b4471c2ef50189f515ed51dc14fab832

SHA256
239b65bfc8fe3616f56ca78ec051f20753fbaa16142648ff2424d33dd4a26ad2

SHA512
7a86521cb9b837fd7b96af5bf1dd81043826306f679a757dc12777af85e4eb1ed82b0868b19c0282ec4c13d80b32a139140890da73874a5453b3fa7932464a0c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
80KB

MD5
06af5f375d36fd40b55efa194bbfa5b6

SHA1
b58498e66a687807bbf14261cf0a068c225456b9

SHA256
3926664978118c2163f8ce25b0ca986110e19d2fb4186062c6881e3216dbd262

SHA512
62b8040bc1ecdd1b8fc6c39421bb4332215b0d2df21c6c659a2ec95f7249af145e5d6d445023f0b3295d236622e4c2da9fa069b1ef614acedc90907734a446b2

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
80KB

MD5
9c1c877da703ae829c916c054c217588

SHA1
d7c6515b8654a901a98d4962dcba3d047695416e

SHA256
4e1093e4df4d352213140e2921d1d5b2ebea25ec0d4ea162bbb56181eba331e9

SHA512
c63ef70bdda50af376f23836cb4a5314b84b076056a222a7a2577b63775278472b505f202f9133175c6dadbfbb37d88e09c54124bcdde4d3c8e9eaab9fa2a8f3

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
80KB

MD5
f4162ba392383147a67a1590cdb53311

SHA1
ea36a970a71b388df45eb308481cc17c15251747

SHA256
4d0ca05c26c33d031422c93c441db042d0045a49644022c27179a2801801bc89

SHA512
69ec929fe6e2184a3a29a66f65ea23efdc0ca7721250e1be928ba36df03907ef39f00a91b31cc73cb5777d7c77c7b73f3ee1d9b145fb0a5f46ae58b3e061b265

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
c5f3cc224c53fc2564bb6ef84367ea7a

SHA1
af1a11e0b5d6f548bdb9ae41994c275ff260a029

SHA256
42accf6d963007324165e44045ceb55ab1de71935d0477556a9c06f38e7ea4c9

SHA512
e14d1729a207db3c56031dd97c2d523b772587866ce045595d5f397db85b2c91915a63c3e50f17efb6c11e47a63c6b844ba56e52b420eb61c91919054b8befdd

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
80KB

MD5
9de4b61e6686609fd5d2c8e5eeb123dd

SHA1
f34346e180cbe58ba8b8b8f18e0031d6b5448064

SHA256
ee84e57de716b3b7cae0f2aa4e014c1e414dbb1885b037c95feebdfa308ce148

SHA512
261eb99eb3b60001d1b04e0213d52e3d8339aed9c7c7fe5ed6db719ab3f04a3384013bc6f23da3f87cac754aa687d71718e45ea209ac1f16b76696d173644d45

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
80KB

MD5
e8093d6f8f8cf53ce2376160d743b30a

SHA1
13f07097e1ee34bb3fa4116fe9c292271d2b7444

SHA256
d62284a02fe7417de7e993ce438fd483fca191a4dfde6f13cd3d0876e2ce519a

SHA512
7d3d422457ec3645bf7fc4a529df41e630cfc29a3813fbd858c7a7e806be87ffdb688b9c59951fb79b60f891aa241786daf250762ccfda1efd6cf2341386427b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
0bf6c3ac08ef25b1b581a0e8633ff427

SHA1
c296e3f55da0fa379c895d5f30f04c0c729c5c05

SHA256
883bf408ef4020ff29dbab83c155ff1a6111e276acff1ae9035fbdf07c87f700

SHA512
76eaddebfc836a88ace7900ddd92d49e139aa2bfa4ac2f9608db3b481443c2040d52317a089feeb31d6c9442e03d1bd9b62b14dc1300e502f59c5de80b80a44d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
80KB

MD5
529fa66d9bbb366a4f8313023f5c29ee

SHA1
716c0b31c9e82097ca1a0e8fc57a5e6bbddfbeb2

SHA256
e2f12f420466943a31c0a7dc146cc7cd8b76bdbce72a3be42d3f69fc873f1f8a

SHA512
92d0b52505251ec8fb86cf841cb4a2d3afacea50f42bcd89c18c81c909d0f23a26e083f6cf9b9ff214bb2801210ee930ce8c77317e2559fb94fdb0c2ced485e8

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
80KB

MD5
91e535e5efe61b453542ff95d47c4411

SHA1
fb2382e08d5e8ddbd88258b1dd63018f46e10853

SHA256
548397bbf9490c34405e98ab4d2ea51ab8df086e8ebed84f23c1891daf44b0ff

SHA512
1fda5e8da502ee10fa371c40980b517af4bee4fb3c1a97ca2e5d6ace08c8ad999ad25b4fd91ad3732df98b29100e197f6ac109be1467c2384f01a2d4b5366f7d

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
b8254ac2555960d4a382bce7f45f79bc

SHA1
68abf5931a43c44cf671d886361441e584dece45

SHA256
07639d7cef65cdb585396534a96f54ca962497e1ddbb3656cdc8fb9a7d9e0121

SHA512
65e54725b1cb169c909525602c3c406a262298735709f92a7ea4327ca86b929fed39848258770aab2648c50530e54536758782caa0a67e6a4aa7e8b8fe3fe4c7

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
b52785a9c70c99aee64e87ce06b717fe

SHA1
a53eb1d0add45296715834b5dd5fe5bcee77bb3c

SHA256
e36de4aa59d0e7cd3bf7dcfefdbffcc2238d67586f7fec245da03eba24827aa3

SHA512
2fba73f27e095288992ae5cc85b64da3510dcf45bce10e986a4ff3d67fa1c81fe13d3139a8f95d8dec11c47aa989edd5edba9998a20c898b8ec6179726d47472

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
1d8b672d27d26c1c54f4a2234446f20c

SHA1
84b30d45c5b7bf0ae8c790d16ce01fb381f238f3

SHA256
d800df6da92d44847bf4151b5c1cac30b902cdea479ae210d58df2e0bab79c60

SHA512
362b8ed1f352e1e445276bf1889b004cc005d5e1d948d12efc1abd03f4b826d4f38b8d2d45f14dfd9acb58c8cf87e0ef783d109e59a4e3bfccb7b90c620467c9

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
4bcd81a5e941505ae267cb8dfb163ab0

SHA1
4ef69118ffb1bc937040794bb73a1f96e58ba7a0

SHA256
6da531845ba61c45f2bc9506eed4281bdb478e4dac36d78a7b10ffd11bf59f38

SHA512
0d70164808c3f4b9be327360ead098f26c21b4a1c1ff0a98d5ac94c42c009d8ca3cd0c111260d7eb6c18c497317b2cfb71919c7a667d4d6dfbe1ad669c102005

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
65d9bcce0a0b7a5b556c854791e67bc9

SHA1
52fd688617fb661e97e8ef7eca65a258873f93e8

SHA256
b09cb659507cecb919310b7285339a059480c4b18065a6e6d9a13518b1eacc27

SHA512
2d4d9c51ba4ab0478903a0b37abb65a1781f374f9a24ea6cd0fd6c8507e20509409c5757c57fb5467d6678af3fb10ef43962d54067d8888d7ac44f0bba0c7162

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
80KB

MD5
fb2e6302057573d8ad4ef3a57b3daaf0

SHA1
7383efa12628a2c126eec816895bdf9cc6108ca5

SHA256
ffe72c4bb91369302fd75c32d7efa0eeb33feec06147faf61ee55423633ab66d

SHA512
418278fb06a506ae3eaa0bd30f11dfefe7a86a41d7459efa0ba0405f12cbb2019c7a3cc4192672828f6a4bf266c43f4d32d05c85a273a4a93dbcb7f5ec9967d1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
a3cfde67994f1dbc2cfe20c62eff27d9

SHA1
8bdb7c6291679eb62e743b1898e3df1b08694ec4

SHA256
668ec15b4009e9230226b128bddf1a0d91c6f587c6fb9e122fa686572756e9e6

SHA512
a92ecf5cbd6c3109916505530ff73fc49a6d24418711d37f63a1d1728d2fa0e282869af1f4a253e874b4860a49aa64731bcb5cab1a42085776005230fa039183

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
7292be5b6d05ea2529d116190975b486

SHA1
12c3b4fcf9abe94678678b1ea947521b5d603d1e

SHA256
a1a4459a3a1efde112ab14ea13f93d5ea2e57abf010418146105238e919b572e

SHA512
7213618065a2ea735a5041d22488ae34436f5112c813463ee15504719da7f0dfe0f0b684d4b24a90aea9572dfc7ead17e9162fc5f42914bbc281fd307eaf6fbd

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
80KB

MD5
24fea0e0b2262daba385815d77c2a0c1

SHA1
1d2fe4ba8baec608a9750bd8df6575c032f8e425

SHA256
ac3f49d9b7842d4b3093659e640df480d33b23f0cd30a9286b9f02b56ea2f39e

SHA512
690bb4ac171e483cd2cd4bb69c969670c383ba45b22b569a593174075647ab22ae3ecaad35642852eb35e27885b7d83deade7b663c5a5cbba59f6cf3ae876e6e

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
80KB

MD5
7f9aff1a5a78a665d4ba0f3fd9642f41

SHA1
4a0dee1fa441d5a00fed337cdd26d61a23024657

SHA256
0089b19f6951a00b9f6a05c3413cf8423f75033fa0edd109a7d23da34fb48d15

SHA512
548ccb54862e197cb7a05a9f54090291028d563494b65d72f23df8463cdb2d049667eddb2623ce65e4c3c51437c8dc939d39d354c6e4acfa84704b1a89ea0c29

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
80KB

MD5
14964bb25b9c76089a07ca4509b4ef24

SHA1
e8739d03fd4d2a038630de96759d95e2e777aed0

SHA256
3dd83897bdba87d94a2768c18ed7c5275ce0b31b795040c29392d72a038e25b0

SHA512
8b7fe620f3add1fd51a359555777c14555bf6de602a265436b3d4c55f1686bc35f148a3438851e3662ed77d735d2ddb8dfea3f0e387b0a4d9d4297f7d839fe9c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
80KB

MD5
95cf0becc2d7ded06fd02ba0aaf0341a

SHA1
efc56ab7e74f7ae3298b7da08fb5fef642c85e47

SHA256
253102c84d7b74a836b9c2a88ccd6aaeb593f6b2ea46c4929c9ebbfec5904455

SHA512
fbc358330398267db133eb0d83757eabc17036ac13f62472c539a76781e191e4b6f37b49e2be40eff0c0e024e3d31a20d50dff8829c8a3c96096a49d2faeb6aa

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
80KB

MD5
445bdc954f9a6474c07a926d8be4df66

SHA1
d34c158fc2efec98d15f12fcd23b8d8d2c8575a7

SHA256
c6b72e92a6e254f485a8dbcf776b1eebd10329007e49033d0cc9c6b8089e82b4

SHA512
b6d3cf4435c497299eef2c193b8216847d166d67f239f9c3ed5014cc9cd5a17f72f669d69688dc95ed706ba3b55506829bdab1f5fae13a41f39288781e287305

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
80KB

MD5
8104825aa20c09af7cb77aff44361a22

SHA1
aadc8cf30c0b0e102e4ab8a0a64b5d1eb2899a74

SHA256
49f66e87baf2c83096928b62691e5c2a8e1a598b0b622dff4c14743a423894b3

SHA512
80fe2c7846e1e4835c0cc99e3c8f9a8d0238d352b089803d352948dffce6cd4508e7d05fb8f199168faabd49f993292e1202492f91c79ceeb6044c804f044719

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
de0f7c750da701754cf03a5c45122e36

SHA1
e661fa6bfd0e48a3257e8016d6dc7fb7e7e46cda

SHA256
93a69b914caee69c5a23fcb6e4c4c4f5e526ec149117c423d7179b878be77a7f

SHA512
af6ecdb2fead46012e475a9aa9cfdda48bb199d5026baa47869bf02ee316a36c618e64e660f64e4c257307a80a4bec317b993fd21abb70a853efa51aca2e8c0a

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
80KB

MD5
4a63eec9e0123946b55aa8acdbe7d971

SHA1
f7f80cddce9cc2129d87ec423a19a2b74a29ba11

SHA256
23c4c9ffae30f25c70361580a2a37eecd2a2ce3d29840b783a843e4e6ce19c16

SHA512
b99fa26ea6089b5fce14bba5432e9c0104f68fcb02c58b60b0294a2074cc16a03f6067bf2b8c523ccbaf5cd43347280a6bedf14d0745219b24b3a2f84b80cf36

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
a01184bff99e366211aa21ffb784850c

SHA1
3b739397b4cc0af03781cab16554f8a3200c3542

SHA256
ce011d3764847df059c5097ab3efdeb325536acf395624bad1c733fb0d4b35af

SHA512
a53eedb65ecd694f48fe7e71e98292164fa4edd3772ff4a388a21da1a9eb120b251e0199979c719abd58cd9239239ac27961eb838f39dae92a0720899b2a1f08

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
80KB

MD5
704c19c8b14f7c6df8560720b0d7a454

SHA1
ec94ca9d9638489dd37158fd481ebbe91f486c40

SHA256
04337831b2c66a2c48d4dff9b1b4ef69735a1bda2667ad20793164ec65f97fb7

SHA512
de605e619824146529371c5d1cd6d46d45b83f644403609729f994996513f6be1d5b72b5913e0410d75847300ec5943a2276078f90911aec0f893247112979f4

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
80KB

MD5
0a3e4a5a240ea4c15bb27d7359bcdf38

SHA1
1c5064616477f984219ca84a23626b8fe4aa17f5

SHA256
61bb022f04c3735e87a2f06cc0c40dd541ff37d85d93817471130f8f3313b17a

SHA512
4cc4180bd537af3c5845ae21d30d96c05228e634a9477216d8ffc9255efb6bb36fff8fd1c30df2822667a1c59273fe95e399068c9e5b3ba1f2c24a0bc2ba8db9

Download Submit
memory/232-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/324-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/324-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3952-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads