3b39fdd1057a3c081e652bd742b4208708b30fc0c065381dbd508c19eab04dfe

Analysis

max time kernel
101s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8302e168954ab5c5484a6971880288c0N.exe
Size

386KB
MD5

8302e168954ab5c5484a6971880288c0
SHA1

62cc8a6972f2f98da619984df2baa83d9ce27989
SHA256

3b39fdd1057a3c081e652bd742b4208708b30fc0c065381dbd508c19eab04dfe
SHA512

8e74165980484361d244f7dfb508d996899c9b93a035e2da42112a048cf3cfa2326b42d8d935cdf495660324d76be3f323a2ebaaaa7b732e9167d95e851f1673
SSDEEP

12288:LWlPalgnwQZ7287xmPFRkfJg9qwQZ7287xmP:nlgZZ/aFKm9qZZ/a

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8302e168954ab5c5484a6971880288c0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8302e168954ab5c5484a6971880288c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe

Executes dropped EXE 34 IoCs

pid	Process
1172	Acnlgp32.exe
2404	Afmhck32.exe
4596	Andqdh32.exe
1048	Aeniabfd.exe
936	Bjmnoi32.exe
1324	Bcebhoii.exe
1188	Bnkgeg32.exe
4288	Beeoaapl.exe
2216	Bjagjhnc.exe
2984	Bgehcmmm.exe
2524	Bjddphlq.exe
1820	Bhhdil32.exe
3044	Bjfaeh32.exe
3124	Cfmajipb.exe
4996	Cmgjgcgo.exe
4436	Cfpnph32.exe
2540	Ceqnmpfo.exe
8	Cfbkeh32.exe
2100	Cagobalc.exe
1212	Cdfkolkf.exe
488	Cajlhqjp.exe
1876	Ceehho32.exe
3296	Chcddk32.exe
4172	Cnnlaehj.exe
4300	Cmqmma32.exe
1552	Calhnpgn.exe
3260	Dhfajjoj.exe
1356	Dfiafg32.exe
5112	Dopigd32.exe
3696	Dmcibama.exe
4732	Dfpgffpm.exe
2304	Dmjocp32.exe
4552	Dknpmdfc.exe
232	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	8302e168954ab5c5484a6971880288c0N.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4080	232	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8302e168954ab5c5484a6971880288c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8302e168954ab5c5484a6971880288c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8302e168954ab5c5484a6971880288c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	8302e168954ab5c5484a6971880288c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8302e168954ab5c5484a6971880288c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8302e168954ab5c5484a6971880288c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 1172	4356	8302e168954ab5c5484a6971880288c0N.exe	84
PID 4356 wrote to memory of 1172	4356	8302e168954ab5c5484a6971880288c0N.exe	84
PID 4356 wrote to memory of 1172	4356	8302e168954ab5c5484a6971880288c0N.exe	84
PID 1172 wrote to memory of 2404	1172	Acnlgp32.exe	85
PID 1172 wrote to memory of 2404	1172	Acnlgp32.exe	85
PID 1172 wrote to memory of 2404	1172	Acnlgp32.exe	85
PID 2404 wrote to memory of 4596	2404	Afmhck32.exe	86
PID 2404 wrote to memory of 4596	2404	Afmhck32.exe	86
PID 2404 wrote to memory of 4596	2404	Afmhck32.exe	86
PID 4596 wrote to memory of 1048	4596	Andqdh32.exe	87
PID 4596 wrote to memory of 1048	4596	Andqdh32.exe	87
PID 4596 wrote to memory of 1048	4596	Andqdh32.exe	87
PID 1048 wrote to memory of 936	1048	Aeniabfd.exe	88
PID 1048 wrote to memory of 936	1048	Aeniabfd.exe	88
PID 1048 wrote to memory of 936	1048	Aeniabfd.exe	88
PID 936 wrote to memory of 1324	936	Bjmnoi32.exe	89
PID 936 wrote to memory of 1324	936	Bjmnoi32.exe	89
PID 936 wrote to memory of 1324	936	Bjmnoi32.exe	89
PID 1324 wrote to memory of 1188	1324	Bcebhoii.exe	90
PID 1324 wrote to memory of 1188	1324	Bcebhoii.exe	90
PID 1324 wrote to memory of 1188	1324	Bcebhoii.exe	90
PID 1188 wrote to memory of 4288	1188	Bnkgeg32.exe	91
PID 1188 wrote to memory of 4288	1188	Bnkgeg32.exe	91
PID 1188 wrote to memory of 4288	1188	Bnkgeg32.exe	91
PID 4288 wrote to memory of 2216	4288	Beeoaapl.exe	92
PID 4288 wrote to memory of 2216	4288	Beeoaapl.exe	92
PID 4288 wrote to memory of 2216	4288	Beeoaapl.exe	92
PID 2216 wrote to memory of 2984	2216	Bjagjhnc.exe	93
PID 2216 wrote to memory of 2984	2216	Bjagjhnc.exe	93
PID 2216 wrote to memory of 2984	2216	Bjagjhnc.exe	93
PID 2984 wrote to memory of 2524	2984	Bgehcmmm.exe	94
PID 2984 wrote to memory of 2524	2984	Bgehcmmm.exe	94
PID 2984 wrote to memory of 2524	2984	Bgehcmmm.exe	94
PID 2524 wrote to memory of 1820	2524	Bjddphlq.exe	95
PID 2524 wrote to memory of 1820	2524	Bjddphlq.exe	95
PID 2524 wrote to memory of 1820	2524	Bjddphlq.exe	95
PID 1820 wrote to memory of 3044	1820	Bhhdil32.exe	96
PID 1820 wrote to memory of 3044	1820	Bhhdil32.exe	96
PID 1820 wrote to memory of 3044	1820	Bhhdil32.exe	96
PID 3044 wrote to memory of 3124	3044	Bjfaeh32.exe	98
PID 3044 wrote to memory of 3124	3044	Bjfaeh32.exe	98
PID 3044 wrote to memory of 3124	3044	Bjfaeh32.exe	98
PID 3124 wrote to memory of 4996	3124	Cfmajipb.exe	99
PID 3124 wrote to memory of 4996	3124	Cfmajipb.exe	99
PID 3124 wrote to memory of 4996	3124	Cfmajipb.exe	99
PID 4996 wrote to memory of 4436	4996	Cmgjgcgo.exe	101
PID 4996 wrote to memory of 4436	4996	Cmgjgcgo.exe	101
PID 4996 wrote to memory of 4436	4996	Cmgjgcgo.exe	101
PID 4436 wrote to memory of 2540	4436	Cfpnph32.exe	102
PID 4436 wrote to memory of 2540	4436	Cfpnph32.exe	102
PID 4436 wrote to memory of 2540	4436	Cfpnph32.exe	102
PID 2540 wrote to memory of 8	2540	Ceqnmpfo.exe	103
PID 2540 wrote to memory of 8	2540	Ceqnmpfo.exe	103
PID 2540 wrote to memory of 8	2540	Ceqnmpfo.exe	103
PID 8 wrote to memory of 2100	8	Cfbkeh32.exe	104
PID 8 wrote to memory of 2100	8	Cfbkeh32.exe	104
PID 8 wrote to memory of 2100	8	Cfbkeh32.exe	104
PID 2100 wrote to memory of 1212	2100	Cagobalc.exe	106
PID 2100 wrote to memory of 1212	2100	Cagobalc.exe	106
PID 2100 wrote to memory of 1212	2100	Cagobalc.exe	106
PID 1212 wrote to memory of 488	1212	Cdfkolkf.exe	107
PID 1212 wrote to memory of 488	1212	Cdfkolkf.exe	107
PID 1212 wrote to memory of 488	1212	Cdfkolkf.exe	107
PID 488 wrote to memory of 1876	488	Cajlhqjp.exe	108

C:\Users\Admin\AppData\Local\Temp\8302e168954ab5c5484a6971880288c0N.exe
"C:\Users\Admin\AppData\Local\Temp\8302e168954ab5c5484a6971880288c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\Acnlgp32.exe
  C:\Windows\system32\Acnlgp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\Afmhck32.exe
    C:\Windows\system32\Afmhck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\Andqdh32.exe
      C:\Windows\system32\Andqdh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 408
        37⤵
        Program crash
        
        PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 232 -ip 232
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
386KB

MD5
e46748af0567610961efab93ed6f9e3c

SHA1
15d1c785dea9128e262ed1fe878e66653ad2d660

SHA256
db2d5db1e26da65820731191f1c719227dce63588240b1cd38bed25ea86cf5f6

SHA512
ef3f1bd20c69809218b4a220bd828e9f153cce4f39b34831296068f268a706f50932c52c8548442d15f5079c22f2fa4a98cae0644ab50d369c17de9a3dadd958

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
386KB

MD5
bb2aa7199f46ee6633d09c0ec91d3537

SHA1
80db3839d6f59efe52c77990df2cf249524a08c9

SHA256
472451fa39aa6349f606f3a934a66362b61efc1dc3bd29222984cf4fd44a9133

SHA512
4f131826430882e7736b253f5ef07d87439d663c23d5c1d437bb0888d5349a1bd57265d128b980fbc103d7ad6527b6db733629aced17641246ee495c0be758a1

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
386KB

MD5
15420a543e2b284b9c017c44459eebc8

SHA1
475145fdde5f31eaf018a8945a0decddb49e634d

SHA256
15399f53ec739b3d3d79df09f37669c19ae310e7e341657afa988aae1b84499e

SHA512
96d352671d5aac5e5121bef7d00122978e80c0cc1ba70401662a29aed9e893602f92b8fd12e157959f8cf2dd2dfef500bca938719c349264b040d37a357ff5ac

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
386KB

MD5
4a7c2e926244272522a1b6f8e35cb62e

SHA1
8e5dd3c645b5169794c79700004964038bd75875

SHA256
a4cb8ba257fa7679767cc39301a81d7f30c103e2c6451fb4338d258576bdd29e

SHA512
515ec92288497deee032bcae2bcb95cb716064818a789ae5e6fafd76b9d7193ef203b70f71f4d4581947e33200bfad12fcd03bfaa77c8d4efcb8016eb7eb80ab

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
386KB

MD5
3a2273da333020ff48074787d7dc2e0e

SHA1
244f3b72afe3e5009ef91d70f3a3cea277832029

SHA256
a1d06adff44607bdffa4eff80cc209b62822580599ab985124cc21661b0269c3

SHA512
b1b0a9504d11869346c8703b661c1afa1faad6a445c83f5945a6813413650b42daaf05a1f307b05f8b4b877992530dd8a8e368f9325763c4250edbf77c0933a6

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
386KB

MD5
bf59b74b8635e6c1889c2277c509e979

SHA1
2d923d4a95d90d335a66e98b750dbff10e328717

SHA256
854f19be9ccbc343297f97150d5ddeef43d1652336788f7833f329e1ac2fbd3d

SHA512
93fbed97811fab47e4cbd791bcf997d61864aef966fbfa144ef0939afbdc768519083586c5bb7492795174b6048bcd9ba911dcb2dd661130b49efb3b53c6bc6d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
386KB

MD5
2aa3fc8b9055a454aadccb79619570d7

SHA1
e32f596fca8909621827d2b629747d7f83d4d0e3

SHA256
f7664f5bb650eb5756ed5dafcbaffeb1e2e15d7381f73fb589860a5c4f5ea4cc

SHA512
513a4065a2f56b696353af26c1c1aa9628179259b2642f373e7b5afc75a81ee8896c2d8183f328e2b73657893fd421d320d659a2a8bbc984ce15e01d9d1fa21b

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
386KB

MD5
46b9e7ee8253e4343ac89159614ad86e

SHA1
f9dcf6d51c6c71fda77f4ae6e102bddc6b274373

SHA256
388566e4fde9351efb23657e5331287d7c3ec9158e98a038078cc0a072049f3f

SHA512
8f6c9962ff787e430ce2af78caae6124bde06d41bfda93a7035ae29085a9d2a1a68e5cd73a2dfd47975e7e4c492be37be3b9fc14f09ddaae027e8b02311f2827

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
386KB

MD5
2373656fb6d8650ed73feb0d56f98933

SHA1
9e0a1c54016bfb0fa0e6a7ca429b7d0882634d90

SHA256
a20457ebfaba42a3e3eae03da1b8e7849c0f40a12c91ee0317ba2547e72e813d

SHA512
8e2f10378eb403e58dd23c607755d7d6e2c7e764f734763b89a18b3dccbd97cc62fb01c9664b4fcfd9386280d66d61fb12e91cacbe492bc8b877fd24b5290c78

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
386KB

MD5
81bdeb688928273f885c417576fbf3d0

SHA1
7f3586b59f8980bde358f7d83e943890b87fa572

SHA256
be67fd37755a29d1f6335a9746eaa95d1ae34d69c9143e95ddfcbf6e547c47ce

SHA512
57c8e6965367a3d4325679ff3c6adb334474bac6b27880f04afeb1e46bcbbd227a288c595b4b4fba4b224bc44cef6c1583134ceba5f0ba2d173e7a7d017de5cf

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
386KB

MD5
c5590dd607c61ab8f17e975827a9edb3

SHA1
ec82e07c0ddc835da502814a69f99d8f4f4dfdb4

SHA256
d3ed76be9645d340cd636f472b3ac5bdfd4a25a6c9f55eb6696094f2d0a6c576

SHA512
b7f3c9cabac0dd84e3f98392b76c364d6cfc1f6dc4d72fc1b0aaba7f3e7e5c8f8063b65f211e213b9c5709a1ddc63c57a7a0877ff74b047b37d0db56b9e5c0cb

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
386KB

MD5
0d3393588f9c7ae2abdde4c4d4cdccc3

SHA1
2f9360ffc92738214ad76904ea2cbec3934982a3

SHA256
92ec644915762bca7984ef02e2fbf07f2914a4737d83e347cc65cd15ec25b481

SHA512
58714a9d21fa3b078458516a4188140c715fadfc0e1fd06c38bd351a5aaa19f7d36181817891c0f9030c4c7c202600f66d072e16cee604c817a62ec255db4e4d

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
386KB

MD5
9345cf23052f77188799085c6671947a

SHA1
7c4ff34968d5855c5f2f0349b9aa256447245b08

SHA256
7d3fb19ec48b72a4e220cc87754e14a3390ba532a0f68ce68f1ea2ce3130c8b6

SHA512
556168c1733ca569c6afff35dd045ff5750983c73a8df591fd3edcc9b189f6c83907355994e7dba62b3e264a58549acb3c7dc551da6468a26aa84139c6f4cf23

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
386KB

MD5
5bb00dc95b3f2c04597f451f988d8c88

SHA1
d329dac1f4169dede5b785d73c11cca64cb5e40f

SHA256
1a844910711eb39420ee52c70e6750ec0cb0f7f60e08ad04fb53a348725d37b8

SHA512
9c4a67ae32837b8fa04b97a57fa1a3c9bd631115a111bdd4dde1c615b1b007622493196fd9b4e27825b67c36cbecc4211b5ee19a9e25efb5e11bd0c604f817ae

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
386KB

MD5
54d6758836e2a8ad1a1399fea97f8ab1

SHA1
e5074ffd99958802d0cfde2c7f25b51dc6caa83e

SHA256
d383970e804c2586ff6e8472172026519998cd38834cf59646992d1ef2892d40

SHA512
7cd29c61082e68b1c5c01e6248322be34e454e54d50268fedd111fcdc3d64dac000e15c78bd637b6be36dfbcb1a2d8050a9b37bcb54275226bb52f8ab277c748

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
386KB

MD5
eeb62a846ddd06d530b1581f1020b1f3

SHA1
35119377761a0edd7a1eff4c4fd4d26b233de502

SHA256
098f33e0589e15aea57e87cc91f03272e237d2b00c6a4716fa687a1b3a5afabd

SHA512
eba594fa81dac4f79f6c1e34f2b8a6c5f8b6dd24ca8035304973832519089b200ed128c776c75a8bef71bac3740c8f524918c902fe861c27e4722f3f6c3d73bf

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
386KB

MD5
1cfcb967c7b5e0c6d2c52d5feaa36cb7

SHA1
4057608949c4b2910dfa57568e79f6075fd47fb3

SHA256
59b40eb09cffeffb7717ebf5bad304bc0866a2ab9f7d1252c4b50545de649d14

SHA512
95efa4422ea22d2a19824170130db879b8786f17f9eaf4bc384905151b63215e0e843b464982d3b8df11244118562c070550a38365ae5800bca1744c2241b670

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
386KB

MD5
42746c54012f89bf8b8f536cc003352e

SHA1
bee3cfcc27639a4fb0caf32db03b9e38d4de76ed

SHA256
d8f814f44133091da5a1b817899cbb85285d4fec316ca19b701aad1058d6f320

SHA512
a133dd9cd1a0ae8726e166b61090aae4c5611f91e8f79f37fa9a65eb653daeeb6c8e4131b4be3749a702f38f25c058cd8f55005b8360771279f37ec193292714

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
386KB

MD5
2a1379655e5bb35bef5a2d2f6745c6c4

SHA1
bb21db5e87dcc6c527f654ba8078d511931aff2a

SHA256
7bc1d48291031c16c2a7000b1b8e100ed4fe0ddce59829965678220bff9d08fb

SHA512
8c24e4e17f2a9f06db0ccfc229a55b1fbde8868418b70290b980cb8831f9ebb899803117aa02ba6b7f44622f1674104bc8b1311630a7536e8c55334dd25cfe5c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
386KB

MD5
e33df2fb39c8b65d1311bc720fcdfe23

SHA1
16b15aab9d4c1989e4639e47266a9504d1203250

SHA256
59f965b8505b1473df89f55a98a1f6b9cb0c4121b97b316502acefd5c203dab1

SHA512
1cf4d0a1b64f0e38db20930d2339cf212f2e4a747489202f88d3fc20dc174557af352f0a2bd2a3ae68a575e4dbb27f7b43dc9f401f4ab9a44f615bff2c8a8ff4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
386KB

MD5
27a782baa2ac95e8c4701879338d0366

SHA1
862c169a8531bd9a894e94a98edd4fcda7a015f9

SHA256
053c7e72b7a9e27377aed1b9b811a70e968d780804230b5b5f692485ce26c5f3

SHA512
7ebe795e779bb10cbcac9a471a94a5f0705e7d7c78d83648fc52f26afc1a7bafa7363250f045ed774f55242355246964447aab0ab7f37105a25a9916a5ef2492

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
386KB

MD5
f8e6a32d348fed225c748cd2e76157ca

SHA1
12e84bf42c4d344bbc9dbca4ed3672b0c7edef4a

SHA256
94da3e3d9438e13c5b876be96567ff2db03ac21f7f70ab164447511c89cb1c03

SHA512
23ad22f1ae98836d65270dcac5fc88fff5e1dfc170cbf78586ea288d7cae38bb7cd64077a4ac5abbb5da8299373a14e0c44fa47d3f7ba6dcbcfe858c83d67eca

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
386KB

MD5
9414c9e686f6c2614d5772e0b9ebe763

SHA1
a5f7c166bf62661fa03ff6e888526ab9765ca7db

SHA256
3a3a2c2f37f4ff9d2879dd6eda62551783811d8ab301fdcf922e41387cfb93d3

SHA512
e8e5491a1ffef70ae7c76a66f196deab3e9c66d9db51f0db353786b92e678161cd712ae77170960706741c2fa8cfeee8fa887db96438969e9d8c211b6e3134ea

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
386KB

MD5
47fcd7d4736c6af8367d93eed6564cf5

SHA1
15f54bde16af01421c3506b686dd24f7a03d4a1b

SHA256
2fe07bd161052d4cadb1eaa1440d6a1b377bf71412e008c30eb77d2c7d9b2f9c

SHA512
b8b52c548272043ec8a3e1fc9789e04a45c58db69fb092b9b823672f3c89e280a5c6f4389e72f7925c0c580fe1874971d1374ca13aa6a9c9c30e280199145d42

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
386KB

MD5
9f82988da7b1e83e6c7b21cb62972e4d

SHA1
0f45402d0047fd65c1638ad4c9262fee1feab01f

SHA256
3e7bacc0b883553f11b75fda070d56f00e840929f1d4420201b8ac66d9381044

SHA512
3e49d31fa7aac6603e41c998bbaa56bc8889d4f41dc5c5a1d10f1ffd03c271b14a278843d069ca9f23161f2b28939b742ce937f1b341b4c9e00c735dc4136755

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
386KB

MD5
b1e94c6c878e5aed434d84aa6b4497cd

SHA1
e351ef58c1e4060c1dfb59a8acb016b2e7063655

SHA256
0c2294a6f9387bd382816661427622f6e51ed28ae1137c6f5f8dfce8e59a7811

SHA512
aaf3907f8713740c18a90c20ecdd8090fe22fa2b1eb13e09b1e497cf894624eb39b6c0a4d5ab924b9a68ac46d1b0400d655b9248026e73d0169226a0f0bbcb50

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
386KB

MD5
b5bfe013d4935baf48cabd6895f45eef

SHA1
0bc3c313da9b47196f8ae8741e184e118da2f801

SHA256
89b09811d94d92baa16c9eeaf3a8f37c39af546e3c1c1085710243ff3eea6065

SHA512
595172a379a63eed233776b9b4a1ac0c6c8a3734d988dec838341e0ff0d819e5d509bfa5c9371584372d05eeba22c4fc562cf0ee570dbd8a551d3c33c7221793

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
386KB

MD5
fbe6db9dbcdee371a90416f784276ea2

SHA1
225c7e4a9e8077173dcebeaff83f1bb482c05b81

SHA256
c4905a23418c43cce13ba3aeadb59b1fb32fafde6e1199e36de65a29f530c2a3

SHA512
f0495fd6e20a7effb543e086114882abb09ff0ffe3818d52452f52021affb3d73b33ef51dc3338dc0bcf2cd9df726941e08f32a604d63bc5f93437af55257ff4

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
386KB

MD5
4a99d1b8d8e1c90d831343b6e30b896b

SHA1
b2cce77824ddb049158797bfbc486c4ebba62e1e

SHA256
2634070fe0dbffdfbfc7f411fc4bf774e2b840008a6fc01bed164ec6e5501f89

SHA512
d5b74439d945f6c6f6a838696a2f04f215d9e5e649cddb248d9029676ad1e1b6aff776e6df29b1f2367e7704476d6c77ecbe2ea3ebe658416decd0bb5c384d38

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
386KB

MD5
c7ee52a2ba919647b96bacb5a575d4fc

SHA1
351dd3d6fce3240dad47a6e8a3bebc94d4f41fea

SHA256
79a4b336f1d8cc4bc050efa55df5db25efaf4414af617b38c3786ab24da5824d

SHA512
a1c142cf61ebfa7cdc7f29ebec42f7aefcb05d7bfe78610d36465365933794a6d9adf9b17ce80fd3ab6915e1bd496be1e680f3799404b74cc93883d314492ce8

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
386KB

MD5
4c42907d997b4da0178adc614c7c1797

SHA1
acf38fe5deff4630de9e036acc20da2e10b54356

SHA256
356adc8f2a66468d4792c557075f606c645a9f23d07f35dd0836ffbe47c70318

SHA512
ee74c5eda5a71306b3ee8ec7b8ccfff47ee22f5e643892e14a9f2196de3d94b257950d8a2afb08200a0e303ef8f0afc0bc230be85028f7e0ca4b064c4d2f04aa

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
386KB

MD5
6bb8c8573ca6ed56effff82353ec49c2

SHA1
7325860c6c7b0cca5af4135350d5a71b505a9591

SHA256
653eb8aabaeaed66f816556e183e9a5a7769defa2ce0c76fafa03f7c68d532fd

SHA512
b0774e9edc940903a28176aca10ccd73f25aee5e7077372c5fd24c4e0e197d4b53c87ae59f76c1ae6bc8dbc666d1633e6f4f8a3d02e38aa37fc0e7c890f31fe4

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
386KB

MD5
030f65bcd00db2677f97e838c643e23d

SHA1
23e2519ecd5f9d9a027b33ef8fd54858f68d64fc

SHA256
a18c283bc81871cdf8ecbdda7b875e1b7fe44296effb50341d3c3da3246eef38

SHA512
e78b5446048c927c35ef630ab79744e90f75b203eb785f6847b88cc50b4e3bb68fbff5002af79d3a93c51b57cb030fbc1d6d82e5220674e2696c892f6cd2ebe3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
386KB

MD5
78baee7b5c89f08e9241b99593f614b8

SHA1
aa9b0f2d2567e2d81625c6b74d3fd9378aa691dd

SHA256
488e3ad9261c7d5c193381e9e30f572a9f52d9a448e461d01f26d165d8e3b676

SHA512
17f40faf6063b135085b7fb0c76bd1ac4b6cd916280de640b65dd42d1badc973e5f9aa1147f9198b4fd39c61efb06ffc9a7638695388210b3e271f4dd5358195

Download Submit
C:\Windows\SysWOW64\Ldfgeigq.dll

Filesize
7KB

MD5
c05748c1fc8e3ca558e69b15f85bceb0

SHA1
26ff711718566920d184c2f5c3ec088c3c2ceebe

SHA256
82474d88ed324f26a174ba94638d9b6ca4b363bddf0197127251f7e461616c2d

SHA512
c57214a5a57103e63a53e1677e976903ebcfae9ff97f3077ba9e0679461fb86f60b3cbd213b3999a193c2c451e028f5bdad4eab079bf3b18e8fa3ad71db20d62

Download Submit
memory/8-304-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/8-144-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/232-268-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/232-271-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/488-298-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/488-169-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/936-330-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/936-40-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1048-31-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1048-332-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1172-338-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1172-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1188-326-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1188-55-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1212-159-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1212-300-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1324-328-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1324-47-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1356-282-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1356-228-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1552-206-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1552-288-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1820-316-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1820-95-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1876-296-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1876-177-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2100-302-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2100-152-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2216-71-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2216-322-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-255-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-275-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2404-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2404-336-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2524-318-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2524-88-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2540-135-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2540-306-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2984-320-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2984-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3044-104-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3044-314-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3124-111-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3124-312-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3260-215-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3260-284-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3296-184-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3296-294-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3696-278-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3696-238-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4172-292-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4288-324-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4288-63-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4300-203-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4300-290-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4356-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4356-340-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4436-127-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4436-308-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4468-212-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4468-286-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4552-272-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4552-262-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4596-334-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4596-24-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4732-276-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4732-247-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4996-120-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4996-310-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5112-280-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5112-236-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads