7ae151fe093ebe92161bbb65b0890d937266fa16a2476df3974d493619c32d2b

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eb8646b4a2917630e6b6ff89062418c0N.exe
Size

64KB
MD5

eb8646b4a2917630e6b6ff89062418c0
SHA1

958d4016b7873bb6651b5091fbdd444ed6f8fed6
SHA256

7ae151fe093ebe92161bbb65b0890d937266fa16a2476df3974d493619c32d2b
SHA512

440ba67e2ce87af13a2ef4070f8f84bb81c9a7f27058b26139c2ead64bc02b229e2c813354272aa77553faf1ecd440e0713e0ea97c80d975dec683b1c8912152
SSDEEP

1536:aqoS6+JuknlgW97vGuu5boXTL3jHrXDST/L3jPbHzfrXDv7nT/L3jPbHzfrXDv7P:XTp7vGX50XTL3jHrXDST/L3jPbHzfrX/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eb8646b4a2917630e6b6ff89062418c0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb8646b4a2917630e6b6ff89062418c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe

Executes dropped EXE 30 IoCs

pid	Process
3492	Cenahpha.exe
3436	Chmndlge.exe
5004	Cfpnph32.exe
4336	Cnffqf32.exe
3792	Cmiflbel.exe
1672	Chokikeb.exe
4724	Cnicfe32.exe
1924	Cagobalc.exe
2480	Chagok32.exe
3520	Cjpckf32.exe
3448	Cmnpgb32.exe
3668	Cdhhdlid.exe
2472	Cffdpghg.exe
4596	Cnnlaehj.exe
2468	Cegdnopg.exe
4228	Dhfajjoj.exe
2944	Dopigd32.exe
3056	Danecp32.exe
1676	Ddmaok32.exe
4868	Dfknkg32.exe
4624	Dmefhako.exe
216	Ddonekbl.exe
4268	Dfnjafap.exe
4400	Dmgbnq32.exe
2608	Deokon32.exe
4212	Ddakjkqi.exe
1300	Dkkcge32.exe
2476	Daekdooc.exe
1776	Dgbdlf32.exe
1572	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	eb8646b4a2917630e6b6ff89062418c0N.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	eb8646b4a2917630e6b6ff89062418c0N.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	1572	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb8646b4a2917630e6b6ff89062418c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	eb8646b4a2917630e6b6ff89062418c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eb8646b4a2917630e6b6ff89062418c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	eb8646b4a2917630e6b6ff89062418c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3492	2908	eb8646b4a2917630e6b6ff89062418c0N.exe	84
PID 2908 wrote to memory of 3492	2908	eb8646b4a2917630e6b6ff89062418c0N.exe	84
PID 2908 wrote to memory of 3492	2908	eb8646b4a2917630e6b6ff89062418c0N.exe	84
PID 3492 wrote to memory of 3436	3492	Cenahpha.exe	85
PID 3492 wrote to memory of 3436	3492	Cenahpha.exe	85
PID 3492 wrote to memory of 3436	3492	Cenahpha.exe	85
PID 3436 wrote to memory of 5004	3436	Chmndlge.exe	86
PID 3436 wrote to memory of 5004	3436	Chmndlge.exe	86
PID 3436 wrote to memory of 5004	3436	Chmndlge.exe	86
PID 5004 wrote to memory of 4336	5004	Cfpnph32.exe	87
PID 5004 wrote to memory of 4336	5004	Cfpnph32.exe	87
PID 5004 wrote to memory of 4336	5004	Cfpnph32.exe	87
PID 4336 wrote to memory of 3792	4336	Cnffqf32.exe	88
PID 4336 wrote to memory of 3792	4336	Cnffqf32.exe	88
PID 4336 wrote to memory of 3792	4336	Cnffqf32.exe	88
PID 3792 wrote to memory of 1672	3792	Cmiflbel.exe	89
PID 3792 wrote to memory of 1672	3792	Cmiflbel.exe	89
PID 3792 wrote to memory of 1672	3792	Cmiflbel.exe	89
PID 1672 wrote to memory of 4724	1672	Chokikeb.exe	90
PID 1672 wrote to memory of 4724	1672	Chokikeb.exe	90
PID 1672 wrote to memory of 4724	1672	Chokikeb.exe	90
PID 4724 wrote to memory of 1924	4724	Cnicfe32.exe	91
PID 4724 wrote to memory of 1924	4724	Cnicfe32.exe	91
PID 4724 wrote to memory of 1924	4724	Cnicfe32.exe	91
PID 1924 wrote to memory of 2480	1924	Cagobalc.exe	92
PID 1924 wrote to memory of 2480	1924	Cagobalc.exe	92
PID 1924 wrote to memory of 2480	1924	Cagobalc.exe	92
PID 2480 wrote to memory of 3520	2480	Chagok32.exe	93
PID 2480 wrote to memory of 3520	2480	Chagok32.exe	93
PID 2480 wrote to memory of 3520	2480	Chagok32.exe	93
PID 3520 wrote to memory of 3448	3520	Cjpckf32.exe	94
PID 3520 wrote to memory of 3448	3520	Cjpckf32.exe	94
PID 3520 wrote to memory of 3448	3520	Cjpckf32.exe	94
PID 3448 wrote to memory of 3668	3448	Cmnpgb32.exe	95
PID 3448 wrote to memory of 3668	3448	Cmnpgb32.exe	95
PID 3448 wrote to memory of 3668	3448	Cmnpgb32.exe	95
PID 3668 wrote to memory of 2472	3668	Cdhhdlid.exe	96
PID 3668 wrote to memory of 2472	3668	Cdhhdlid.exe	96
PID 3668 wrote to memory of 2472	3668	Cdhhdlid.exe	96
PID 2472 wrote to memory of 4596	2472	Cffdpghg.exe	97
PID 2472 wrote to memory of 4596	2472	Cffdpghg.exe	97
PID 2472 wrote to memory of 4596	2472	Cffdpghg.exe	97
PID 4596 wrote to memory of 2468	4596	Cnnlaehj.exe	98
PID 4596 wrote to memory of 2468	4596	Cnnlaehj.exe	98
PID 4596 wrote to memory of 2468	4596	Cnnlaehj.exe	98
PID 2468 wrote to memory of 4228	2468	Cegdnopg.exe	99
PID 2468 wrote to memory of 4228	2468	Cegdnopg.exe	99
PID 2468 wrote to memory of 4228	2468	Cegdnopg.exe	99
PID 4228 wrote to memory of 2944	4228	Dhfajjoj.exe	100
PID 4228 wrote to memory of 2944	4228	Dhfajjoj.exe	100
PID 4228 wrote to memory of 2944	4228	Dhfajjoj.exe	100
PID 2944 wrote to memory of 3056	2944	Dopigd32.exe	101
PID 2944 wrote to memory of 3056	2944	Dopigd32.exe	101
PID 2944 wrote to memory of 3056	2944	Dopigd32.exe	101
PID 3056 wrote to memory of 1676	3056	Danecp32.exe	102
PID 3056 wrote to memory of 1676	3056	Danecp32.exe	102
PID 3056 wrote to memory of 1676	3056	Danecp32.exe	102
PID 1676 wrote to memory of 4868	1676	Ddmaok32.exe	104
PID 1676 wrote to memory of 4868	1676	Ddmaok32.exe	104
PID 1676 wrote to memory of 4868	1676	Ddmaok32.exe	104
PID 4868 wrote to memory of 4624	4868	Dfknkg32.exe	105
PID 4868 wrote to memory of 4624	4868	Dfknkg32.exe	105
PID 4868 wrote to memory of 4624	4868	Dfknkg32.exe	105
PID 4624 wrote to memory of 216	4624	Dmefhako.exe	106

C:\Users\Admin\AppData\Local\Temp\eb8646b4a2917630e6b6ff89062418c0N.exe
"C:\Users\Admin\AppData\Local\Temp\eb8646b4a2917630e6b6ff89062418c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Cenahpha.exe
  C:\Windows\system32\Cenahpha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\Chmndlge.exe
    C:\Windows\system32\Chmndlge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\Cfpnph32.exe
      C:\Windows\system32\Cfpnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 220
        32⤵
        Program crash
        
        PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1572 -ip 1572
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
bafab359f34b89f916c4e29c37ac8b04

SHA1
af559fe92b8ec2d1f4f9d577fd97e6537d69af59

SHA256
594a0bc1e1556435568cc0820fb320356d7ed9ad5165f6a58650a5e9e452f29f

SHA512
a8b6036d28079d91098780169ac8e3d1248d028845a98437596f123d1b74dd5c4861ce9154c676d6c39bb120a4593184fd272ecef947fda3c1550f422c15f8f3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
d37914578e675157b3687a6fce44ac00

SHA1
3f5322759364967a2748f1921457283a67d6a171

SHA256
e898e0176fb02c12444583eb36e8afaac38d1c0c7977f219e1fa342a0c1d0fe2

SHA512
cb820ef32ac6d4ae384f933d5d4b00e7d6c3fbe4a5421bae0984fd3a4f59badce329bcce3225e9bcad81a4a072876fe41559254a3ab6e5a2b6488f3c851528b2

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
c454c49028262a75140039d440c446f4

SHA1
e1b3a61bf9ddfad4581135fd8c1a41f6ca53e986

SHA256
e1896428f11236daba56fd350c8e45483ac051605ed3e8a93f4ab2d5efb8ff41

SHA512
6651b040c1791b43a8e133fc073ffd46e9744dad2a666d4e508925a909b50608fc1f2d235c80ce8c118087d4994fe56f19aefefeacc26995a44ebe2687312e7f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
7c992c4d4f7e93ee1f4c783195169534

SHA1
5b74f747031799e77a6c3978eb85daba403088d6

SHA256
cad501a1e2c616875f074d68e7764c96d9308227a0fe35953b51480ec3c99058

SHA512
dd7b053e10c2601853186f78974d100ef22face4a0175cb52cb67b1c4879c09e8beb00b54e3983fc2477edb91e76278d87d42e18b70062960c8610e18e99ed0d

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
6531897d66046c2a4930ed7465db8b78

SHA1
d9cc4587954281de4e18f75de0a7083644c2b8bd

SHA256
499adf039db2593bb237fade40e473ba4f22ad23af21b5c6d6a5cfeee968047f

SHA512
ff13ebc9fff1102d2e9979281d86021712ef403710d66437bb651579a9196ee4fba1f9fbc00bd005c297c2e25b3ed1641a8cf2d7aaa5d3b32e8fd174c6c7c7bc

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
e3374fcd04e4fa34a7ab699398b49593

SHA1
a4271207624ff5835f1edf496ea54dee84389c78

SHA256
0ddde7bfc5aec61025abc8bb930e5333608c7f2d6cc79656fee63910178da945

SHA512
8c683bae5d1f554a3b68fb670a53e884a8ce880bf5d3a4d536db524a4d722f63df8fd4d65f17b14571119c127b62bbdae38f370a17c72f0c2fcd8024515e4bc8

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
9558a572097f3cf3bdf2be003191746b

SHA1
cce223e9af759509d147bc0cb4786bda5ede9c70

SHA256
a5dca7e9c47cddd3194a920358c0c96c5d77d1c945d38e8646716fc02993237f

SHA512
0bf608846a0feb0d837634c74c34b85a0fc6401ce8474d5091463e93dc22f51cc4bdb619ea740502cef24b9eb625d51261a2390d4f0912894a1a1590bea97fdf

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
d8ea6a760baa00a20356f42bc0da9b8b

SHA1
e6873e1ff7ad2fa8214f020ae0ebb3e075e36eb4

SHA256
ba9ab1bc62827a4893bfa7ea8ebe2f7eb3b03e25f019d389e246d69d7ca9077c

SHA512
9cc008fcd479d82cc825b2fec2f3a36db2ab6a7138722c06480b7acd7bb62be439c8cc7aa6ae83a66f21327aa3deb73e09a66b6c2d5899b16f7cce5e51d6bfed

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
8d972711e02cd0ae6e3af99ffa30f24d

SHA1
52571d61ff031087e7ba749212c8f56c81e51f9a

SHA256
450f0d4061afd5c12f005c71cfc090eb287547720d58c451e9bef701513ce235

SHA512
633c6f84f2bfeb417b2fe7b22fef40782ea968917702fb11723f46262a2e3f563016c2a9ab31af0276ab80ca39c6fb6159a0030d0001764db25cfd6f2729420c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
c5f6f6a807fab92b0e9a7cdaa3c62c69

SHA1
5b5e0697ee69dc4af978a59b5d18818beae4c92d

SHA256
ef5a4c21c288a9b271b295d82fc0f8e78e73c2bbb8a9ea4e516f188cb9abb6d2

SHA512
b999ce19d1dd805a698fcaea9166be64daa975d85cd21292c57e97d26bd086a57ebfc5870fd2fb0d86db2327f006a4f1c74075975c41ffc155fff473c96547c7

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
e728ade1c9abaa6a1c484a63fe70125c

SHA1
24e78b264f1743dfc628f381becb7b283a7da385

SHA256
a2b94e41c4de267c824c5ca0f433d13a83c02cfe8d991d64105c36908ce39363

SHA512
9a2cc8f9f60054b16ff3d5afff68d3e09e61c97213ee8c7ba961934cd318576f42f34b441414886a4626f5ad66ade0b322c045f92b7eb93fbcb9f0ab634dbdc3

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
4015ca1a8fb87464800acedff3d68cc6

SHA1
16801f02315b9cf9db3c27d69bf74cf0d5319211

SHA256
c96687ddeb9c8ffe7f9237d5b6d7b79e6297f488dc11a518e94d3655370d661f

SHA512
5aab8b7daeceae5d3a9c0458354ff07772d1ad375d26dd6bba376d6aab2ee72fed7a5f4d27b22c2559fe72c9939b2b6f84d25dc8fb8c3cdf750067f37378941e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
8b330e40e74aea4bb40bbbfa789e90d3

SHA1
5417b5a5cf978a702d63f472d5a16d35487d86e3

SHA256
e8d4075a44e5cddf6c44dc4148a4e465c897e04047bbb560311ba16b8c4f2930

SHA512
d2c29aeff017e21f3a9aad2374613f2346c9019da55819920ff33b7cae4fc906eb8652595d70fb955b621cd526d11bdcc0b4133139234a963fc6d9546a8140f7

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
64KB

MD5
db1511c3425af41b834fa0ad2850b52f

SHA1
a810684a9650cda37bd955b8f14b286fe8371f3a

SHA256
6bbf762b74824175f277d4e8e0c5fa9a60c030755ee2f4213d7b1d532287f940

SHA512
4b30257a8104bdfbdaa1b094cfd1091fa8cc2e6fb03f8c2763a3e97919dfe1e09fd5200d6a0453a696956920e1d84ae219f99d6942bb561d022d1dc894da258d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
a9c44b768dd79cf23e59cf59b774ed1a

SHA1
45f06617d52fce96dc64f3e92193952ec78c53e3

SHA256
db69a4fdc47bf8faf725f627dff6e1d303030b2b2c858f8f4b2775d41faad3ce

SHA512
2dacf949f27c3b13bacb3297628a3d2e45d321e6ffb2e1735214fae2d72b43dc83862e1f89b12f8f69b5435b2e8f7537802c2bbf2c15ba4ac12cc888ccf10034

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
6edab44aa558e38086a3ee14fab1761f

SHA1
406243d9b677adea991c04b02b792e71e426a3c0

SHA256
3cab6c14f976751181b94714344b5f6093b13d42b690b0f79bbedfe2ad2aac66

SHA512
90ca73953e1db21a4e2b05021382b7a76953979789bca0a328245d6a8974ba13e1800d26458e62077fc566803ba421e2e1458d8082c21a1bae61d50c49ab5ff2

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
065bbcb1e1366ebb0f6a9b017fc16d59

SHA1
b437ef19cc771ac2ac7dde99392f04e0dd916d4d

SHA256
9c8616deb8ec6ec87045b568aa2caeb121c1fef235ed5b226f76e813e992c3cd

SHA512
628bb00e1aedd9c157c469b21764d1a82f36339ec9ac5fd3e456e88b2f24e15c095d95f741988085b99af7eb3e8efba8bbe759a63e2e66b8fa3cf2426801f26e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
8354b0bbdac8434156c3b738968ba88c

SHA1
99631f73e7d455ac634d60b79e126482a8d56033

SHA256
83f99017778539a0fc2feb013968a45f2b5fb210882f7535c03c129c734b76d2

SHA512
c45381de18eab53102a8b38c9cbb991946bd00a76405c1ba25c23c27b7d9c02ff3bd3a5f31c1a7791af3e714a6e8f4954aa74b791ccf90370156bfda9d81e0ed

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
23acbbbea900a4282c426de3683de3f7

SHA1
01c38d192d5f238b255ec25bb83c91690536c10b

SHA256
c08662e0dc81ff47ff2d058c7eecb54b67b7f85f86b82b6c37ed80b22e71436f

SHA512
acaba675a4c7a002a49bd67c3eb8087196e34f80d30f27c0cd65213fbba850b8e78dfe66b15e1429bfca0bbb8ffa758eb93b231e9553b4a4313834b6e16afca6

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
952adabacc3a852f0f7bfce06a8382b3

SHA1
fc7ddb498f6cc5c2a2c563755d6c70531d4d0094

SHA256
dc7aa1457d1550a6575f37f7ed0f5f5f1e2059ec7f7978ff01aa7881223fb5b2

SHA512
eecf474758b8f77ee18726a9f934172f0c7709b0cd7965c6b45c730a02edd7d3f68dfe32fc29996b1cd279c1d85ed4d25a905bcee6fb63b47eb41e8eb5ed8280

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
c0ef2eff60a7caab0d584e89952820f4

SHA1
3637589afe4091217b454416962d100fc14cfc1d

SHA256
b0be13522d7630b65fd7b0fe9fb4827f2351852827c90d4e76ae840039af108c

SHA512
6a4dd55cd296f5e377be4e4ddf92e4d745ee45ec72d663a6383a7d5a7d0975858f531c3933582dde211656e630d14d33541077c755667f59f8311889c75e9ae7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
1a49f33616097dadd10d10de7f0afd0d

SHA1
5a5c4f00f2cc8db443913fe564ed09ec18d35aec

SHA256
2f9582469a33eda766c6ccc821daeabeb43b6f8bf99277d7a15508c5b8109fc6

SHA512
474a3f567f9c1582aa3e6b00cf67474a2be0e0cb1814ce15d8f8a8537161ac9b8e34eb6366d3da1bc12255805ff3d4c39dc22f0409a7246340f72f0e314d8306

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
c49b2ed5699273aa8dc8b28d93f31f74

SHA1
900b3219985c23c6eb75bee0ceddda90876d151d

SHA256
24af7fd4da6cbc55954ead9072426cd682b46ae37897ee7f8fc2b60e06693bf1

SHA512
bb692822f5400cafb864799780b067fd0c3cea64354b63da751872bf9a80e1272dfcb1562dc6ace056bad1c59042dc864d4d63a79af8660a188f0b87a83a6531

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
50b88303c6aa4beb4a604ed9a20bcaa3

SHA1
0d97aec90c719d803bf97a72c5a32a1577bdf38e

SHA256
e5ef5dfeb5c2ca50180cd4148aa8b704eea89484c7fc38f6dd4bec4d7e0840a9

SHA512
88425b0eaddd92566c42f93adf3cf9b6905ff879b1b5f534fab3dde9f08d6a49b11c6f3d5f6c621b667ac5b9a22424a7301657c1a3b53d26c6c51ca1d594b1bb

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
71819ed0968aca32f8b07959ac4efadf

SHA1
347f18f5be9672003d1adc31ee606bb40f18028a

SHA256
bbb74e4882e8c38bd236c5e50d4c4145265e3defc2c0e1975daba8918267a4e8

SHA512
d85384e528a08541ec012eee6399a363355c98ad2120a4e8351e1ecc154bb529313ba04d39f8c1bc0baffeb432dcfdd327d0a923e10f9a6bd3931e56a8e92548

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
67497cccc0f61846fe039317a3ca46a1

SHA1
7743db1b3498c2086d554ec9af3bafa8d1ee3c0f

SHA256
19cbdf203f0dd4faf5df8e7cd20d95f9093987285e3d70da076688039245b1a5

SHA512
6729e24c8cd360dccfd712fdc8d13a8b2d8a8431df674fb08b03a824b9c7ffe291f72656116becb1d5a6e0ab7bc21d112e869574f39847c24a95f73276549fba

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
64KB

MD5
09a17b0e68be27a54d29fbd86a00c32c

SHA1
a4342727c5410d9cc1a73061be25b4488da95556

SHA256
bcc23f08f34dd070c1c9aaf840c146eac4485225961e6cece85e57dda8e49e2f

SHA512
9543bae125f5561958f0cdf58d7a6d2d7a918fccf60176f85d19a86ce5ed317c199a7b852308cc6016e9c297b4e612f415fc081285bf64213a4a7fc248636d05

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
ac30a2ef93653ab3d5b91c2600125718

SHA1
ba021c9b7067cda38cc349a83931150ee11b82ef

SHA256
af689a1fbe81d6fc42ace40482fc1f4d77923d1676c14f0f25cd13bae30f9ff6

SHA512
7a7ec37ff303093d21241337ed545fef7036af11e3e1d64e98852153c3eca8bacfbacdab7e10e1aa36e73dc0a3ed2d4121879f5219593a0555786614a7c64ec5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
7b16f7882624dfa7380b538c3db01565

SHA1
28ab0cafc3eee7de19f49bbf79d923c2cb7bd70d

SHA256
51c204b96157cb14dd06af3174b04907c9d06ce4be4e62243b586d08ce9ac1f7

SHA512
018678532e2fdeb3a14d7665065d3025bd36fa16c4acc4a0e8078aa55af6f502c446f82a2b45d3a1a4e2309055ecf77779c3a99ce74e59d9cc82f295b7aa7b6b

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
c433f57acf4e75e8019c0005e82e0b3f

SHA1
390e5817763c05a9458346288543527997d47bc9

SHA256
c860be9e3353392b592bc5249115001eba9c9c2bb969034119f00d24d26b03b1

SHA512
51dc211a84a84175aa2dfe509880e570e959013c382b46c9ff25c7bd4747d9aa8da6f9ff6dc77ccd4baf866e0a66a5156a405b2bac52c501c924240d1048d232

Download Submit
memory/216-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/216-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1300-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1300-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1572-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1572-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1776-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1776-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2468-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2468-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2480-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2480-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2608-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2944-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3436-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3436-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3448-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3448-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3492-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3492-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3520-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3520-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-258-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3792-265-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3792-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4212-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4212-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4228-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4228-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4336-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4400-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4400-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4624-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4624-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4724-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4724-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5004-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5004-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads