0fd291d7f7057e478b5521c881d544624684cf03f42732db41d1caf6eab10778

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c86741199cb49b51df3c2f5c8ae39210N.exe
Size

512KB
MD5

c86741199cb49b51df3c2f5c8ae39210
SHA1

ae36ddca466442e18a2aaf29df27dcd878378643
SHA256

0fd291d7f7057e478b5521c881d544624684cf03f42732db41d1caf6eab10778
SHA512

cfd70a1745ceeb1daaae454d01ac3f27d6d08589b40a88f788a95c9e8f5ae0ed4dfca592e1a2a259320836acd322098a3b00dde282ee90d3c2746f53a8952122
SSDEEP

6144:wIZHHwa3XEBeY9oIOMcxDHBFLqWjjgwTgZLnSnLs:ZtwaElgXtHBFLPj3TmLnWs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c86741199cb49b51df3c2f5c8ae39210N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c86741199cb49b51df3c2f5c8ae39210N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe

Executes dropped EXE 40 IoCs

pid	Process
1084	Bhhdil32.exe
1116	Bnbmefbg.exe
3332	Bapiabak.exe
376	Chmndlge.exe
1196	Cnffqf32.exe
3728	Caebma32.exe
4500	Cdcoim32.exe
1504	Cfbkeh32.exe
2732	Cdfkolkf.exe
3188	Cfdhkhjj.exe
3652	Cjpckf32.exe
2996	Cdhhdlid.exe
4764	Cffdpghg.exe
4640	Cjbpaf32.exe
4524	Cmqmma32.exe
4064	Calhnpgn.exe
2288	Cegdnopg.exe
920	Dhfajjoj.exe
4160	Dfiafg32.exe
3852	Dopigd32.exe
4652	Dmcibama.exe
3156	Dejacond.exe
4212	Ddmaok32.exe
2524	Dhhnpjmh.exe
4544	Djgjlelk.exe
440	Dobfld32.exe
4976	Daqbip32.exe
1236	Delnin32.exe
4368	Ddonekbl.exe
764	Dfnjafap.exe
3544	Dmgbnq32.exe
804	Daconoae.exe
2132	Ddakjkqi.exe
1984	Dhmgki32.exe
3912	Dkkcge32.exe
5032	Dmjocp32.exe
3248	Dddhpjof.exe
2068	Dgbdlf32.exe
2424	Dknpmdfc.exe
1252	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	c86741199cb49b51df3c2f5c8ae39210N.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe

Program crash 1 IoCs

pid	pid_target	Process
2420	1252	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c86741199cb49b51df3c2f5c8ae39210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c86741199cb49b51df3c2f5c8ae39210N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	c86741199cb49b51df3c2f5c8ae39210N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c86741199cb49b51df3c2f5c8ae39210N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1084	752	c86741199cb49b51df3c2f5c8ae39210N.exe	84
PID 752 wrote to memory of 1084	752	c86741199cb49b51df3c2f5c8ae39210N.exe	84
PID 752 wrote to memory of 1084	752	c86741199cb49b51df3c2f5c8ae39210N.exe	84
PID 1084 wrote to memory of 1116	1084	Bhhdil32.exe	85
PID 1084 wrote to memory of 1116	1084	Bhhdil32.exe	85
PID 1084 wrote to memory of 1116	1084	Bhhdil32.exe	85
PID 1116 wrote to memory of 3332	1116	Bnbmefbg.exe	86
PID 1116 wrote to memory of 3332	1116	Bnbmefbg.exe	86
PID 1116 wrote to memory of 3332	1116	Bnbmefbg.exe	86
PID 3332 wrote to memory of 376	3332	Bapiabak.exe	87
PID 3332 wrote to memory of 376	3332	Bapiabak.exe	87
PID 3332 wrote to memory of 376	3332	Bapiabak.exe	87
PID 376 wrote to memory of 1196	376	Chmndlge.exe	89
PID 376 wrote to memory of 1196	376	Chmndlge.exe	89
PID 376 wrote to memory of 1196	376	Chmndlge.exe	89
PID 1196 wrote to memory of 3728	1196	Cnffqf32.exe	90
PID 1196 wrote to memory of 3728	1196	Cnffqf32.exe	90
PID 1196 wrote to memory of 3728	1196	Cnffqf32.exe	90
PID 3728 wrote to memory of 4500	3728	Caebma32.exe	91
PID 3728 wrote to memory of 4500	3728	Caebma32.exe	91
PID 3728 wrote to memory of 4500	3728	Caebma32.exe	91
PID 4500 wrote to memory of 1504	4500	Cdcoim32.exe	92
PID 4500 wrote to memory of 1504	4500	Cdcoim32.exe	92
PID 4500 wrote to memory of 1504	4500	Cdcoim32.exe	92
PID 1504 wrote to memory of 2732	1504	Cfbkeh32.exe	93
PID 1504 wrote to memory of 2732	1504	Cfbkeh32.exe	93
PID 1504 wrote to memory of 2732	1504	Cfbkeh32.exe	93
PID 2732 wrote to memory of 3188	2732	Cdfkolkf.exe	94
PID 2732 wrote to memory of 3188	2732	Cdfkolkf.exe	94
PID 2732 wrote to memory of 3188	2732	Cdfkolkf.exe	94
PID 3188 wrote to memory of 3652	3188	Cfdhkhjj.exe	95
PID 3188 wrote to memory of 3652	3188	Cfdhkhjj.exe	95
PID 3188 wrote to memory of 3652	3188	Cfdhkhjj.exe	95
PID 3652 wrote to memory of 2996	3652	Cjpckf32.exe	97
PID 3652 wrote to memory of 2996	3652	Cjpckf32.exe	97
PID 3652 wrote to memory of 2996	3652	Cjpckf32.exe	97
PID 2996 wrote to memory of 4764	2996	Cdhhdlid.exe	98
PID 2996 wrote to memory of 4764	2996	Cdhhdlid.exe	98
PID 2996 wrote to memory of 4764	2996	Cdhhdlid.exe	98
PID 4764 wrote to memory of 4640	4764	Cffdpghg.exe	99
PID 4764 wrote to memory of 4640	4764	Cffdpghg.exe	99
PID 4764 wrote to memory of 4640	4764	Cffdpghg.exe	99
PID 4640 wrote to memory of 4524	4640	Cjbpaf32.exe	100
PID 4640 wrote to memory of 4524	4640	Cjbpaf32.exe	100
PID 4640 wrote to memory of 4524	4640	Cjbpaf32.exe	100
PID 4524 wrote to memory of 4064	4524	Cmqmma32.exe	101
PID 4524 wrote to memory of 4064	4524	Cmqmma32.exe	101
PID 4524 wrote to memory of 4064	4524	Cmqmma32.exe	101
PID 4064 wrote to memory of 2288	4064	Calhnpgn.exe	102
PID 4064 wrote to memory of 2288	4064	Calhnpgn.exe	102
PID 4064 wrote to memory of 2288	4064	Calhnpgn.exe	102
PID 2288 wrote to memory of 920	2288	Cegdnopg.exe	103
PID 2288 wrote to memory of 920	2288	Cegdnopg.exe	103
PID 2288 wrote to memory of 920	2288	Cegdnopg.exe	103
PID 920 wrote to memory of 4160	920	Dhfajjoj.exe	104
PID 920 wrote to memory of 4160	920	Dhfajjoj.exe	104
PID 920 wrote to memory of 4160	920	Dhfajjoj.exe	104
PID 4160 wrote to memory of 3852	4160	Dfiafg32.exe	105
PID 4160 wrote to memory of 3852	4160	Dfiafg32.exe	105
PID 4160 wrote to memory of 3852	4160	Dfiafg32.exe	105
PID 3852 wrote to memory of 4652	3852	Dopigd32.exe	106
PID 3852 wrote to memory of 4652	3852	Dopigd32.exe	106
PID 3852 wrote to memory of 4652	3852	Dopigd32.exe	106
PID 4652 wrote to memory of 3156	4652	Dmcibama.exe	107

C:\Users\Admin\AppData\Local\Temp\c86741199cb49b51df3c2f5c8ae39210N.exe
"C:\Users\Admin\AppData\Local\Temp\c86741199cb49b51df3c2f5c8ae39210N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\Bnbmefbg.exe
    C:\Windows\system32\Bnbmefbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\Bapiabak.exe
      C:\Windows\system32\Bapiabak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 408
        42⤵
        Program crash
        
        PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1252 -ip 1252
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
512KB

MD5
992d6742506781b2636d269b51acf3a6

SHA1
65b2f5176d00162a7723ad76acc7feeff1af0dfd

SHA256
3deb0e8e34bd201a15f0cd3a4cfaefb2678befa63036658a452fcc02e8a01305

SHA512
4600eb83cdd05b7ef019ed6b2e05be7116bafce536ef12a5235fdab7b64c9888f5be19e9dfe1965c3e7e3bf0a1148d98762728411301df95d2f7fbbd520a65b6

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
512KB

MD5
3ec1b1370ce1f13fa51722814bb66e98

SHA1
146e7f9800044533611ded9b3e62521cb8056143

SHA256
29249b2ff1de3e4e03f860d6700a62a738b719fe850f74859ecf93912253ae18

SHA512
8779d7288ceb8aa3c0f1dd2436676db9dc70c0c3db5a08c98c3de9d1bcdb44e80e2446a54bbac160f92afb4fabacad9935bccfcbc711b397a08e16ccd7df2114

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
512KB

MD5
bd3fa85981f873f35a6d396ef314ac66

SHA1
50f3db868543a5364e55c13ed1feec7b93da37c8

SHA256
e91643469056923133b12d2db57b049e80714e70292166c4cfc4254f3894a80c

SHA512
3688c23a20d847290cc1765180ece38d395ab5ddbaa571de04cd2679c4b7d2a748005f7be894c653b05e88dd233337475e34beb2bf8a5590058f6fcb923f2a8f

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
512KB

MD5
ac887244cec5bc0e198d7434621b4cc6

SHA1
e154781cd58858dd82f63ef9edcd26b0ccf53f7f

SHA256
b5dfdccc83ba9228d3b99901b532274e244890abc4266c5425aac808f3f80868

SHA512
41525b644e190dcda08f9b98948e93923536cfa49fc3e5f3a752599007daae6395848c84881535660cbd8770f5ccca98c01b4c4656958eab0438996a88c5e11f

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
512KB

MD5
47090d9fb6b7b8250e3bbb9b551bff2e

SHA1
f05a0972192d7bf276b1ad6cdccba30a42f60999

SHA256
ac74fad5d2d3d698f6ac11c47b1a8ed0cb2ef01a5d7dc26b1c218d906a5fea67

SHA512
0b2dd1d31b469d84a4981c40d108cac23b848c30596c2b1320e98f6a30afe69f06afb8588b11ec2104bd92baa592524c4e7d770f0a26bd7ba32a18163d0e8a69

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
512KB

MD5
2c4e840c0ecff267c11b390969723f18

SHA1
2f49beb478ed50bcdfb4aa4fbbcdf2a6d2faf647

SHA256
66b746b18f02c39746b198a7c83de764632f11e9ee4f528e8c96cd2ba8ce1e3f

SHA512
8bc663862474b1af0f890dc598210940b7c76efc330aa02422f7961e616bec401543ee63a5789a705a8956c09759a12426ae7f34d5fb0530d5eebd22eaa01137

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
512KB

MD5
d84f40025fd43f29bff0b2e8fd269771

SHA1
30a81424966498993acf40c3591515d7bc46be53

SHA256
05f76ea691016a26c3fceb8ecd881d38ca2ce32787d027888a7f000a642b2805

SHA512
3411ad649d124793b41406037cc2e2c3d23930dadc6a35c09781c9796ecb5a9ab0afbe1a2531269a1904722be69cb3b2fc305583a9381d82cc4d2f5aa3026d22

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
512KB

MD5
af5a8f70cc32f42fc76bb778fecf5039

SHA1
503ff2dbc40675dd705f0705144d2a30b46b6186

SHA256
593b4a4d830df625dff5a3b066e8c51e749f723f5832b22f67548c9f1aa55229

SHA512
6b9733fdf2284b9514489865dd825f75f583d81aee937befdc3eb9ee9d61c25ed7c70c5759157a86114b330120e4405e3eff3eed2a75e1c4ee8366a67aeaa6fb

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
512KB

MD5
ecbe6b30710b13a30f42475078f89401

SHA1
a21d332c77073c586105d06b308caeebaf577f9a

SHA256
96eb1ef60b5fe0a2793fb8880d4f54f24f941912f0ea425b1222a2f60a47db6e

SHA512
6f0ce94215c48430d34d94da5000886e6174fe80998181e0148a054189288db999a9179a8f64a07e53542325a67916034e7d5159076b5754946fc9b0c62e97ee

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
512KB

MD5
a1609a71ad768740b4eec18eee491f9b

SHA1
adccd3ca6d859ed4b9165511128abb0c93f94fbc

SHA256
a228ca8ce95109079ef1cbed54f2c3a046345040db16589eafa942cd1e848367

SHA512
3e53caf72ada0be9b7a2b52c446213aa4ed2cf919bb85c8c9fc6d1bad2e6109a13b8b15aca60bb0213baf5543bd1f783df5d9c324e07b443ba2caba99e062a1f

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
512KB

MD5
67cb1d023b599ef7fd11943e2ed1ade7

SHA1
01fb15722eacc1fa0af14597436358b98d3c16c5

SHA256
7c69687741401acb0d9523c37e61d16c5060036643d7a90082158a258855b356

SHA512
156932510d1b8539aac93f350c03f9ada7d958e5577eba42433c4817d1e421eac052a485b29150132a81b00c3c29321ae49ac09ceea02d2afb701111fafbef02

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
512KB

MD5
50b00db8e8828d85568e18bd9e2a9d96

SHA1
a4d0f95c85f7a95748bb846141221d57bb9a841f

SHA256
c1b789bd2159bc2f8a35bd59129bd3692864116e1374ac0fd41ab54f53e30b93

SHA512
5c88c947619d75d8c959c9dcff6ad6304a5af26776b90efbd062426ac2cb7964c8ec0dd5a0cfd793c4dad0e3f4e3f48d70a366af5c6b832844252bb220051c37

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
512KB

MD5
802d343d2a4a49892a308ecfe46fa6ea

SHA1
31d420dcd54a799caf5b5d1fc71adb92993aeef8

SHA256
28c4958141cc97431f5f5bd001aadaf11749e5a867335344cc47e91e25d98bbd

SHA512
0d3e69d975243dd269322d36cf9c2cae3c9600efc191fe03f4c66de86b7e116036428913de305e0fc6fe50cf0d9214589db82b22c2de9e8bbd3edad528308218

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
512KB

MD5
2c9a85579d0e61d683c706af54d64424

SHA1
ab8f393c4e6133cea4749cadddc2e54bd3a4aacd

SHA256
a44da5c28e0fa196f2e100664b1bf430a09072e67323868d1d4599728e5c5a06

SHA512
c0636120790458214f905275cd55211ad473a0849d0b58944d7162e785507ce0e459f069152e271a0024aa7f1e5b106993b06319a88921d13b0e4367ce416ddc

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
512KB

MD5
3a13d8f05d11735f10b8b3302ad3b0c2

SHA1
a74b414ada5a0e332accbdc0bb51a5369a875f5e

SHA256
e2dc76cf70ebee080d14581d5dd8600f5793677c6bf281674d4fd4858670f074

SHA512
02f1b719da709f88bd83dea4fb0060fcb25bdd544f208c6834988227ea1369c2e6d8acfa6af415c7e8596ffd65524be04351c13e1f1e333df5db5bccc79095cd

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
512KB

MD5
ddc2b84cdfb9adfee1200476faa06a16

SHA1
7ff5125a6a01f3baee3cd411bc150885b332e32e

SHA256
5c2afa6fd4c202e148bcdcd9fface623544a30d6e69e5fefc508650358e4bbf3

SHA512
5cefe0f74ea37ac861609661869f08bd26735ea31de314a4cbd6617900d0505771eb05d15b0414a9901dce077f56e5154379bd849013c1f434b843c44f19be4c

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
512KB

MD5
1c9229cb56dfc337c542107bc9b37f10

SHA1
bad5c64a3494293b0760a79207db4fae8da2337c

SHA256
e1aba6904610c39378724b4c6947969dd7414eca040e73bf40848c2b009176ac

SHA512
6fd599dc7eeb9ef67895565942c46dac367a0ec29a0f8a087d1853ea805bfff8a34df7a9f5b2485423d7ca3b9d049171c7775dc6fe8cc490800ec7e11fd4f791

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
512KB

MD5
8afb4993cc39a357baf88f7ff3265ae3

SHA1
3276765de3620aa37bc435789f5e24e40c9dc519

SHA256
075b24fd499da8ef46c038d6aabf2c10da6f1ed4e3de86cc905412ed879b5129

SHA512
aa9fedc2abbd30a35ba20b60747dd73faa9e740110c6cde052bb7bf200736ed9b859f94fe891ca8d96a382eb75afedaf03be66e141ea274511f9bd96825abcf9

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
512KB

MD5
2d520e2abc392a70ba043b496c3dc59f

SHA1
caaf69860b17632f10fd615dd700dfef1d0a45df

SHA256
dc809aba509b98b84d2ee0ca1c40a27533fde818791cdbd0595e87e6730e80c1

SHA512
df9af9a72f2bd8b28e01fe1881e62ef4cbcb212350fc93c45fd2bd3243be9ec5e4c0a1cad0e53baef1b3c64c3818420348e34a34181507525bb3d237821c122b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
512KB

MD5
fa39b82cccd5da38c15ef50674a1ce77

SHA1
9a51514ab5401975e699a037e7c7e8503dcc46f4

SHA256
52b693c713e2800456fb7810d3439974ce7be4bb2d447b2defffad717784a5be

SHA512
f1775e2bf183287a6afe8ae1c21423aab845c3ff2abd3cc9e76b2264a54624c97070876a626d33c20677ace34c2dc4071cbc57d46f9ae794d1e0a9d52bcc2a1e

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
512KB

MD5
4fc16a2250ac38a3da0626186d07cd02

SHA1
5f21f60bb166fcb764376b97a648019ffa83a6d9

SHA256
badac103dd2755707b4f6388152e7830f55cb0d5823468b67aa4440a98c95969

SHA512
3d25852f6c4a13142f671f4f9dc4c75c70c8c8979a2b3891778e71b6bb04d32a22d8a5f75963d2a360707c4a8e40a8e5314a1df8226b9b1ebeae95d48b3aac9d

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
512KB

MD5
76e3681eaa0fd663c0d932c900b0ccae

SHA1
e939f17dd65acaf7c32da1598e6c8ed1a13fbf65

SHA256
dd9efe28bf62d18746b81bf4b0d7749ee8338fe69f0bc3d43ee133a6a44dd4cb

SHA512
39689de5d128476460dec28cbaffa6c29e384da14132a3567ff184c31ac7553e93899a1daf9e8c4aafc5d6272c17d029bed852e0baffd2df9024e1212f7943ff

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
512KB

MD5
818159d125be5800b7e845658d776232

SHA1
1b8487c4458eeabdba0162a39403d4c0413cc23a

SHA256
84472c233834ff137ee70dbe5614beb8c8cf815113c170e30ff0ad3a2c0e667e

SHA512
a975b7b636491f90e74d8c348a428dc50c7224ac39463f5943b391d430a10427339db84de887719904caa4468f8f7618ffef4466a20a12a2c20a275faa2403c3

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
512KB

MD5
db894b4c88b3df4aa3789ddefa6da6a3

SHA1
766f96d1732c16e14c300a5559a452874963b478

SHA256
da9f04278af743fe9c2171aa1021c0cd9bd36b1a9722e9812af8478eacd09f42

SHA512
218a96f2a71c5a24b06db542c0be792d043fd313b5f0c079d148b9d9789e3820cc2e5c2f51357066ba80e694c5fbdcc522faab15fecbd507fde165f712299d7c

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
512KB

MD5
d130e6c5df232c538c4e5665dc0af0ce

SHA1
143ef884f8b5098c7a9f3d0aa57a9c2c01264866

SHA256
f5caec210d96d25106aff5cfe13f03415c79f086a683d5fd938703c2e2faf7f0

SHA512
ff593c79b38081c7ed3f65214b5e33b0b4e6c548ae8f7e5fe9f2886c5622e26133bc343480f4e86afecbc3ef84d1edfbd1c077d5fb9e1e8abc6383609cf23a46

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
512KB

MD5
56d5d245657402ffe51471dff4f71578

SHA1
58224cab7c5475e850c3d3e8b3b25c8c03c0539d

SHA256
40e490fd85d91e60ed296c3f25dfb5c600bdde3ac011d3c5becb34a6ba37d7df

SHA512
effbe33c315e6ba59d1288c9e1a673b3a73cb66be668439a0486869f532d1056187b2b9c5e636d1a417e92a94a27897fc86272921b616d3362c3db3de5748513

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
512KB

MD5
5d1ad3dc0ec65f0805707e3abde554a2

SHA1
41652a9f854edaeb134557f1f86995b6ae558e19

SHA256
d5e05d4134f973502259d179d34f24f8409e678fe1c8370824aecd2190d6216f

SHA512
6f34d971f4211df2ded7a68bf67c093563f2ee4a7f9b79891b9b7f937c5da335581426c00c05936d37c8399bf940f0790c3da71daa7eeb0c203d325490db981c

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
512KB

MD5
8957a695e5f25b36e9a1af795f7d5d0e

SHA1
12158ff352ff286c0a377f47cfa02d344123e18a

SHA256
b0052a5571a9a28da38a994f5d0ff21d57bec78a64ecdf5846cb0ecccbbd9bfa

SHA512
2d3d9770b6e4d17640ad441c01eba4ec44fbf469faad201307ae04ea2aa1801fabec6ef19511b1174b6a03391d1e16cde357abe356d13ff475d01b669c70be79

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
512KB

MD5
f0015b6f0bd0c0671dac196c7621ee05

SHA1
d460f090c82ca44ead5e46b74f89c455eec8fc22

SHA256
b406fffbff457144a5f139d477ba1200757aec0559d0094d95a147460ec6b5ea

SHA512
def15a5ddcb8059ab952e657322fef76a7a6914625ecf51911dc9c00dad702d7b25d7c40d8604c5c86aff90ce0394b096633fd4a0d726ea04d492f48cae5b050

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
512KB

MD5
7f1c8a3a7912f0b247f864075569fe7c

SHA1
1e2ee1eb47ddc186c386ba98766accc305468cea

SHA256
fba2e9cc33c4e73e8060fe9917512200dc364331e7be5e0a8322ca8835a4364d

SHA512
2dd12e81242c8875c8dbdf43152938aff2fd3057248e5a5c4cca0f38e66a26e76476beb1c923a5292973a8c50060ed553d4e59ca17361daeff584769d1ae8b31

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
512KB

MD5
4d73df4d80266c9026ca48d51951b330

SHA1
bd124ab5470810ac37b25f5308c053ecd52cb402

SHA256
37c2f74c31e6722cbe7eff2d447df4d26eb7e2126b31877866ea96b13eae2ce0

SHA512
1258a6849d293684a6d2d341c60dbd731550030830ab854f279084914f11ce618449b96dd490fc4fa6396f6d43e7fed826ea267d732d0c0b7e109ab365ba31f6

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
512KB

MD5
22219c00730488def05ae15de7093df2

SHA1
c96d25a84bbf737893ed0534d8810ed3cb88fb9c

SHA256
668559083b206839d6c21279ff757ced039cd0766cb4fc2e50f646a89aa5068d

SHA512
4457f5622134bd3dc4cef3e361e9dd542525b17d41b65c7a74830da8b9f9383c0fc1fa7b9d4e8dfcf8606829a977ac14271c2a1ca69de4f7e41ce353d6883911

Download Submit
C:\Windows\SysWOW64\Lfjhbihm.dll

Filesize
7KB

MD5
3ac43c6f57168ee77f2c8262ed76f198

SHA1
667b4fb823054df6575373239df99918c486c5e4

SHA256
80b4d53bd4a7a667a8056125a45926c60a6e2998ae11bfb18461e92629c83d1c

SHA512
de2a51d281d362d4e5bbb76348f96281c09dbb65702310016e4febfde4fdbba981263e9483a375aaf443827ee87ecac3cf5f4dae7b02ec1c5c0de2665837e1ec

Download Submit
memory/376-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/376-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/440-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/764-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/804-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/920-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1116-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1116-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1196-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1504-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1504-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-76-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2996-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3156-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3188-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3248-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3544-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3652-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3852-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4212-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4368-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4640-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads