de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed

Analysis

max time kernel
31s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 05:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Size

390KB
MD5

7eb3aa50249b34c59b8b67bf045880ca
SHA1

060e3f272deed6adf48afd1d7544219ce614ef2d
SHA256

de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed
SHA512

be6233214b37e8bbb6fc52433c221d25421d79e1dbf83db62c43ada718d1dfb8f4de6e3dddac2714a6b17c1ef7e90ed32609a7284177001c68926ec6d2f07ac3
SSDEEP

3072:JKr6GpaYPdsJ6+bWQALHLQGAZzasJR/X4a+SFkVsYtTHTMT5NeVWmjjGF:u6Gp5sJ6CbArLAZ26RQSFSTHAjhV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe

Executes dropped EXE 34 IoCs

pid	Process
4308	Accfbokl.exe
816	Bagflcje.exe
1900	Bcebhoii.exe
868	Baicac32.exe
2492	Bgcknmop.exe
3296	Beglgani.exe
1504	Bjddphlq.exe
840	Bclhhnca.exe
1496	Bnbmefbg.exe
4396	Bcoenmao.exe
4188	Cjinkg32.exe
3856	Cabfga32.exe
1968	Chmndlge.exe
3308	Cjkjpgfi.exe
4676	Chokikeb.exe
348	Cmlcbbcj.exe
4084	Cdfkolkf.exe
1516	Cjpckf32.exe
1960	Ceehho32.exe
4476	Cjbpaf32.exe
3156	Cmqmma32.exe
3804	Dfiafg32.exe
5032	Dopigd32.exe
216	Dejacond.exe
1200	Dfknkg32.exe
2856	Delnin32.exe
3260	Dfnjafap.exe
5100	Dmgbnq32.exe
1272	Dhmgki32.exe
3064	Dkkcge32.exe
2720	Deagdn32.exe
4436	Dgbdlf32.exe
4616	Doilmc32.exe
3460	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	3460	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4308	1484	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe	83
PID 1484 wrote to memory of 4308	1484	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe	83
PID 1484 wrote to memory of 4308	1484	de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe	83
PID 4308 wrote to memory of 816	4308	Accfbokl.exe	84
PID 4308 wrote to memory of 816	4308	Accfbokl.exe	84
PID 4308 wrote to memory of 816	4308	Accfbokl.exe	84
PID 816 wrote to memory of 1900	816	Bagflcje.exe	85
PID 816 wrote to memory of 1900	816	Bagflcje.exe	85
PID 816 wrote to memory of 1900	816	Bagflcje.exe	85
PID 1900 wrote to memory of 868	1900	Bcebhoii.exe	87
PID 1900 wrote to memory of 868	1900	Bcebhoii.exe	87
PID 1900 wrote to memory of 868	1900	Bcebhoii.exe	87
PID 868 wrote to memory of 2492	868	Baicac32.exe	89
PID 868 wrote to memory of 2492	868	Baicac32.exe	89
PID 868 wrote to memory of 2492	868	Baicac32.exe	89
PID 2492 wrote to memory of 3296	2492	Bgcknmop.exe	90
PID 2492 wrote to memory of 3296	2492	Bgcknmop.exe	90
PID 2492 wrote to memory of 3296	2492	Bgcknmop.exe	90
PID 3296 wrote to memory of 1504	3296	Beglgani.exe	91
PID 3296 wrote to memory of 1504	3296	Beglgani.exe	91
PID 3296 wrote to memory of 1504	3296	Beglgani.exe	91
PID 1504 wrote to memory of 840	1504	Bjddphlq.exe	92
PID 1504 wrote to memory of 840	1504	Bjddphlq.exe	92
PID 1504 wrote to memory of 840	1504	Bjddphlq.exe	92
PID 840 wrote to memory of 1496	840	Bclhhnca.exe	94
PID 840 wrote to memory of 1496	840	Bclhhnca.exe	94
PID 840 wrote to memory of 1496	840	Bclhhnca.exe	94
PID 1496 wrote to memory of 4396	1496	Bnbmefbg.exe	95
PID 1496 wrote to memory of 4396	1496	Bnbmefbg.exe	95
PID 1496 wrote to memory of 4396	1496	Bnbmefbg.exe	95
PID 4396 wrote to memory of 4188	4396	Bcoenmao.exe	96
PID 4396 wrote to memory of 4188	4396	Bcoenmao.exe	96
PID 4396 wrote to memory of 4188	4396	Bcoenmao.exe	96
PID 4188 wrote to memory of 3856	4188	Cjinkg32.exe	97
PID 4188 wrote to memory of 3856	4188	Cjinkg32.exe	97
PID 4188 wrote to memory of 3856	4188	Cjinkg32.exe	97
PID 3856 wrote to memory of 1968	3856	Cabfga32.exe	98
PID 3856 wrote to memory of 1968	3856	Cabfga32.exe	98
PID 3856 wrote to memory of 1968	3856	Cabfga32.exe	98
PID 1968 wrote to memory of 3308	1968	Chmndlge.exe	99
PID 1968 wrote to memory of 3308	1968	Chmndlge.exe	99
PID 1968 wrote to memory of 3308	1968	Chmndlge.exe	99
PID 3308 wrote to memory of 4676	3308	Cjkjpgfi.exe	100
PID 3308 wrote to memory of 4676	3308	Cjkjpgfi.exe	100
PID 3308 wrote to memory of 4676	3308	Cjkjpgfi.exe	100
PID 4676 wrote to memory of 348	4676	Chokikeb.exe	101
PID 4676 wrote to memory of 348	4676	Chokikeb.exe	101
PID 4676 wrote to memory of 348	4676	Chokikeb.exe	101
PID 348 wrote to memory of 4084	348	Cmlcbbcj.exe	102
PID 348 wrote to memory of 4084	348	Cmlcbbcj.exe	102
PID 348 wrote to memory of 4084	348	Cmlcbbcj.exe	102
PID 4084 wrote to memory of 1516	4084	Cdfkolkf.exe	103
PID 4084 wrote to memory of 1516	4084	Cdfkolkf.exe	103
PID 4084 wrote to memory of 1516	4084	Cdfkolkf.exe	103
PID 1516 wrote to memory of 1960	1516	Cjpckf32.exe	104
PID 1516 wrote to memory of 1960	1516	Cjpckf32.exe	104
PID 1516 wrote to memory of 1960	1516	Cjpckf32.exe	104
PID 1960 wrote to memory of 4476	1960	Ceehho32.exe	105
PID 1960 wrote to memory of 4476	1960	Ceehho32.exe	105
PID 1960 wrote to memory of 4476	1960	Ceehho32.exe	105
PID 4476 wrote to memory of 3156	4476	Cjbpaf32.exe	106
PID 4476 wrote to memory of 3156	4476	Cjbpaf32.exe	106
PID 4476 wrote to memory of 3156	4476	Cjbpaf32.exe	106
PID 3156 wrote to memory of 3804	3156	Cmqmma32.exe	107

C:\Users\Admin\AppData\Local\Temp\de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe
"C:\Users\Admin\AppData\Local\Temp\de177004ce58cbdb2e384c4d2837e8eab1d0a001f8a582ade1cf9b3b5fca56ed.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\Accfbokl.exe
  C:\Windows\system32\Accfbokl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\Bagflcje.exe
    C:\Windows\system32\Bagflcje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\Bcebhoii.exe
      C:\Windows\system32\Bcebhoii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 404
        36⤵
        Program crash
        
        PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3460 -ip 3460
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
390KB

MD5
03fbf7f7f278c4921594f5698475f6ec

SHA1
87f738b3fb97ce1123b577a93a9fd46698c11129

SHA256
ddc6ae5c6d5f29391bdfc7f665c76141dd211f03526811890bd6ca137fb8f0a6

SHA512
68468f2ccfc2201bea83dca74be930f7d10a83a96d620913b0649233bbce1d51ec41bc173b85ffe09ee1fd34cbb4bed2c99054e9a21ef6c7abb6f3c0d7405486

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
390KB

MD5
f816ff0444c21d9bf57595d88da9a1c8

SHA1
4d261622f5482ef0c146bf602e3fecfcb39d7902

SHA256
121bea614fdfd84c6f7edd6ef1b18b2a4473beaea71474269e0008cb4276a332

SHA512
74bd5ed68af81eb090b1dc4d87341ded5efcb302f4308cf4c3122929c9964aed7f908c1b6cbe144f697476c2e049bf9b128250e44675c8a947c09e64fdd4c6eb

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
390KB

MD5
5c7f54cd5bb9c399fbf8736719b45053

SHA1
c3437cee9e648b336cd7e58c497e014fd2db3ecf

SHA256
d561675c2bab43c4792158782cb3da079485c0d4fdbaca8f86b62765c3ca62b1

SHA512
c7c5f7c10bd08fd087b1724a193aa92a1bbffdeb5c51b5e1a4931a4d00b815febf88b18232f766bbdced710929f1b983cacac6bcc79bcdcede68176172d0b86a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
390KB

MD5
264fd44ec624b671ba81d8dcd0224572

SHA1
6ff37e7a123ce70e986b8e98952c505db7ed0362

SHA256
0a8c0e10ce3d0feae8458f9b9d3f2096ff1e3ce32dd8cc9895c19527649725d5

SHA512
b5cd06847271d3759fc4e63d8d1f0ae100eb7b462d23bec28172706ddac4522144375fede8a9f714ac2a75409d03ebb5d0e227c5dd8de904bdad5b0660379ad7

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
390KB

MD5
ffdbca4b451f6e6daf6a8feca5254fd7

SHA1
dfd76a7eb3e9301404c95764b23074b797cd9942

SHA256
4173961a18217a8489985e7d728fd4cfbef437ea12b8e7e1440c088005f1ca76

SHA512
920c53516b94230dd8008eadd74d877984e47f062f57f3990ecee944e8a9a426a2a6c5cb8a83142c356028b20a26290567cf39bfa226e036c155339dd34f75d1

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
390KB

MD5
1d236b96ac2f01e8c863597eb6033115

SHA1
cfcd0b603cce27e8d0711ee1c8accb31ce163387

SHA256
946acefd01e161fcba4711390f31769beb5b7ebf41926fb46bfe4fdc3737f441

SHA512
d2784c241db469c61423598b9f33b1a7675651178420a25605c78c124143cdbbad0e0f2b04040890b2ac64322d698861995c6b2e20c0ec949baa9bbc6bb645c3

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
390KB

MD5
585531b8210506df8ab2cbeeb1a8d77b

SHA1
4dc65daae34ebe5cf6a8d3263d2f401ebac802e4

SHA256
0d060fd9aee5c8f77738a6aeecc1af94470347360774c4237fcb59399e74c0f1

SHA512
eec1555d70d1b2f8184eb6c5118a5a519d9d397de1e108060b0e7e83b263dc0a5fb0a538950c1cb974eaec86938d21292e21d933d70a58fefbfc9797ef0e2e30

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
390KB

MD5
c6ca1f6d9185e70b7a14c4ac85f61c01

SHA1
6972960f4bb55425c8729fbd4c1d9d1b329c04d1

SHA256
2ca0c3d750eb64f8f883df723b5c4782d2bbf0aaf7d4cb6cbf4d0482cd63ce37

SHA512
407cbf313e2de42de6a42f77a510c994ac3f062805a6ecc501406f420b2b4d5256d66d45307edeab28f280c356eb3db634b13880fdfe1549761ebe012a46b33b

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
390KB

MD5
f7b5700257700c3e1cae00be18367d5c

SHA1
ee72307969ec0f1ab5b8aa3fe7a878809f717c89

SHA256
dda842ebfcc9a7bba2ab044ebc7fa4ee0f0749ae3c96dcd57c3e51b51caa2b13

SHA512
efa62cd8bf3b66c065a9cbb29c06ccc4b249af3c1cadb29ef18e7cc2cdedf59b56d65561fec9049af134f45c8b01539f1becea822071fabd16ceb50149f2df44

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
390KB

MD5
35567796baa18bd12dd9e50e0a21ce6a

SHA1
41973b49d9f345b479100609952fb255badd593e

SHA256
eceb92c22e3967550a86559208590bfc41b8cd03315dadfe54cd00bb082be378

SHA512
55a299572cb605d0476c9e21d129670973739bbb3a9be6a677bac49db3f1d979ea091851eb0350fd4775d672d7083658630ed3d7bdb73f6e6ab6403b832a27e3

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
390KB

MD5
4e3643e69122127f7bd7017b4d54bff5

SHA1
2ff27686488985fd29dffee7c81ce5a153f08908

SHA256
f99cd5df3246f8ea050006539841079f441067e0f1aa44b73d8c4cd96b043060

SHA512
0c8be5b8d377c2862bcc5c9232fc184a6fb2bb3022f75d5ceaee3ba66a0beb0a58c0ab9d3b623ae2aa9dc6299777df113df6ebce58575dc849a2fbefb3f737f4

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
390KB

MD5
c7134e3b2550b258d473767b52352e9f

SHA1
336917723c80e1d902c534384661b9cab485e3ad

SHA256
5c57d001cfae1c2f961c55f13daf0e1d59693b4e1cc9e49033d133b19571c2f2

SHA512
00ab415f7b6c121cab81591e72846aaaf2887ab4478c540a6caf7030107686c4c4ae7f606d9c1ac64b0027ba5ecc70392cf4ac2978e2998b271f0df4d7f18b47

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
390KB

MD5
bb172cd59fe52f0292e802e8f9a68014

SHA1
96d1a3efc301d811c27c56812d42159e01aa8215

SHA256
9a39e4b7a803e21a0216a6a645df1f0c9545ba48ff7df74814c50aebf7d8d854

SHA512
80e131a9170b9d04772d347aa7eb5086d2f1adc84042dc8a5b0ae223e36701206737e025984e9aeff59caed902cbc66668cca0bfb965fc298e08dd8b5b5927a8

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
390KB

MD5
207881493b470dfc9fc00e84bcb09b88

SHA1
5073a65c676ceda009e3366ee44003cc531cc5bd

SHA256
6555abfdac658cbc17c25a35329c689731b05aac214d6b82ed7128cb2be12caf

SHA512
71deba8d1682de749464b584f84a1557796cb149e073ef0f08d603cac06038f0d6f37bbd72d1759af036d0238b916aa4bd49507520b09d5b8da66324c03dd1a3

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
390KB

MD5
3eb06850ea342dbf31206591af3dcbf4

SHA1
1a24627b00313d3e791c5863b56ef8e2dfa5876d

SHA256
deb29075964121eaaa1ac5da6f5c99e3620243fde10a1b08c7f2dc666ba38053

SHA512
cfcefe25afbf4662fe03295c1f73aeef9787217d4626ed1f57c6875fa4389b89e9a065926b87d7c9c085bc3d36f33c299f09a7a1a4a801c0245ead2b26497a25

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
390KB

MD5
8ac5f77240b8d4aaf4a0c250aafe4960

SHA1
d025cbc02dfd75635de2c3f965861fcb0ac58125

SHA256
aaa6f6da0ce12613849979340aab245809a11ace7c47144a7a720bea367b84dd

SHA512
746ad4fbcf4d0d8747cf16c1db0dfe7caed63b47b522d7cfa0e0b3b0635c1441f9398602ab443e20e09193c349670605c9efe4b0c2e21db08a1c58063625db69

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
390KB

MD5
7e3ba38e23cde1d6ed6bf8992b7d544f

SHA1
afa0217c99b9427fd4511b063bba774bef6e4d4e

SHA256
3b67b0e2f2ad56f9e6a7e1462268bdf1a9fa868460ebf47e9aa648a612df8640

SHA512
b9b9ba546daddea7395c5c2621e07c74ecaff23b22e12c64941741a70c35127076a1313ed1f48d2fbe80ab2721c5668ad3ffc821f017dab3f090ea8e04110943

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
390KB

MD5
5dedc79754e3a7765dd80c2688878918

SHA1
df6d0dfc21e0b00ee2142b484c981f8357310343

SHA256
525e0fc9c02183a66096010ccd49878ddf2285e784b2a0eb6738dd6d41611cff

SHA512
437c7808be1b95a9a5a133758f0534c21cc755d6d034a06210cc24d41ec46ccb0c3b1b0b6ec78c78f1447ef86806aa4b9ce9f1efe463d165c01d4b499dd5cb00

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
390KB

MD5
4a3be783ae86e91d0b5799d521e6d02a

SHA1
7da1da8f2b382bd4065bb4f6859aa195aa1dc025

SHA256
89f2ad079d9f4fa768b72c543388ecbd0eddcb37c4edfa6409733ea1a89e99a3

SHA512
fe9e8ba343a8c3f29b578912da20aa8bf4556e734ffdd58669312e517b7701b8a067cca5928d5c0717badb435b29b31d156c20d85fcfa0700f014dcabb93cc96

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
390KB

MD5
f2cf69e75f085df4299711b3b17e7e95

SHA1
bfd44072baf8fcc34c145f1d5e8bd092002a3420

SHA256
eaf6f791474c09693d32ed2b91fc5e095b4f8a1f590c9b42e2c77f153eec5508

SHA512
4148cc3925399fb04acb1d8a0912ac6b0ee9a9f4c012e54c07e69772331ba7e8937f056cf713c498ba61087a9a0932c360eb5e702416bf67aa6b6db454bf5095

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
390KB

MD5
d5ff12addc58639dc46c12858594faf7

SHA1
4a823d8f033979568d08c868ba15029230962b19

SHA256
01bec0007ddd5f922d4d330ebf7234eea749f71a368a15f09e4dd6ed1cdb8f42

SHA512
fb419b5ed5e664ef98d24ad6c0731edc6184b68f9136c1b42776797d83601a1fc2df6f00669eab138da4a235ee97cc18ef72b56d2fb1c5529d6eff02aa40339a

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
390KB

MD5
94c8763cf6bebb7655439737604aac3c

SHA1
b9eeebbd473d7c06c190db109cf676046e3520f8

SHA256
43f40dd9697ff1146db845b7ba6a045d3cdd90dd7adeb76e60a27ebfc99bf265

SHA512
ff221b4a252ffbdbab5d1229d4c59843527f4278f4938e498342986377056ce95b60c20d8d13919ea078271a02ca9106d134e4738bccda95fa2f775faa790e0a

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
390KB

MD5
44549305229b18bb2438ae3cf9e05c98

SHA1
cc4e43b7d4c9051a1fe1546914d8c75bf7dd4822

SHA256
0badce04a27abfc151291c68c091cb405ed3bf35a270d6fec13c614699c80f38

SHA512
eab9367d6ca683449a7d16f04df7f02dc1201fd7ef44e3cc60951c50c0dc80852f47002ee16ad4de945e670d0d49e8b8d2bdc859e1a3f0d95fe728174575a494

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
390KB

MD5
d6e7fe0ca48fe40c6f290ece2a091b56

SHA1
9d447d699888a787a6b3a3e8320bbd60c2b8a8ea

SHA256
e260db1132c0d03e0aa4335bf769b872fa1e5b56291e27c95575824da52d88dd

SHA512
df9ae6dcabfaae2f51bd19b8d657c0854b418ea1764da06edc756e43df183d851e9185db2e1664c38f6c1dd4418c70da9521f5be928a2bc9ad827a558d0732a6

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
390KB

MD5
29e3c84d41ead465771d0d39c912c626

SHA1
75fb4121af3fee4ea6dc066c193cf72af016dc2b

SHA256
7252b61b270aafa7874bdc4e3775c3e1b1aaf2b07ff73a594f679108dc1da0f0

SHA512
d0865fbacb88d888c6a7da46ff5f75f78fe1f78c9932fa1f6d21a1878bdfb06af92dcacac5a380809dc424a012d520cf4e10ebee55fef70f80973f903d94df60

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
390KB

MD5
0c6d16bed9f61e52a35007fc60144333

SHA1
fa0d757a3cd0fe0bb23f08414b99d36a75fef847

SHA256
40dbc40a3922dd1148fb7a1a8ffe34ce14748c85469804112da585805ca40fe4

SHA512
80845795ac50d678d6fa8303b19f474ba550460ae4b7c6806b5c1f4438dd99a2af95bb05ef4222c77e56f603d86daed4e67760da6d33b81dec935d756a92a432

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
390KB

MD5
a9c62955a1c217067bbbbab3f0f46df4

SHA1
395ca902af69df8af436df5836ebfa2e65d675ac

SHA256
e4892a6d1df033b3eeb66845b3e5e5b234bdaaf536e1eebb50800f5e6a98eeca

SHA512
b87a88e72417239a6a7b926e815f7ce10454b1d03bbc83129868ac00241e7100f241449c4ca282285a8f98f6c4ac1965a06af5661e8730216ebee23dcde8c4d8

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
390KB

MD5
fb7ad8e630db4031aef30992e29ba982

SHA1
ab7aa23c96546377b0f3894f5aae8bf65d707beb

SHA256
31391217903565a122b8f8d97dfd2db0cc677849e4fcefd888cbfd7116833ea2

SHA512
e6f866762a9bdcbe582cfb58d5b8d9a1b8118d808e4ea1b63c0de356710b90cccb136aa54859be4d384ebd0d276577ba8966c260ebe9ae3683d869c48193d2a5

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
390KB

MD5
0dd8fb82f8ffd18c863ff713f7b50deb

SHA1
01a17e678faf948dcf73743dda995e7a47b3af55

SHA256
0ed20acc74c41bdf61c34cd2c620e4dce65adf2a9541a04087e3cc16ceff59d8

SHA512
7e800eba6bcf9aef0b080a7a5e58507998ffc7f571af96ff16234bbabbe068c984f3986c6e289841c942f82037b9660d7517efb7e50792f726c9e6864a894f99

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
390KB

MD5
73b81dfb0588c92544cf709e1cabadf0

SHA1
bfb32b4b61620435f5ddab1a7bbe8c71b3d9c431

SHA256
40e948b908107bbbb5e6ac9c1bcb0f7d9cbe817f7931ce1e54fce08ed0764d84

SHA512
734cd37fcdf83eb072fd7311e31613fbda9c472087a3a24df953b6261bb79334770ba6ca73aa76e0da0c372ddcf034889388a6e01ed816b474e720716730e875

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
390KB

MD5
d06c5e65a905a83348991fb221599250

SHA1
948cb327e8c65b8a3f1145e6025cebcefc895e9a

SHA256
0af5d5dc81b7827d9d5af582fb09e5b7aade2073b0bc6d2068de52dcd28ef0b2

SHA512
23cb0f609f6e35870a84c5cead49088a706c8fa0073fc022e3305fc0befb3015238bd0f8e7b5c2d92a46349bfa2efed91b37cd46d8ccbe647a541d4cf1e95bd3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
390KB

MD5
6aa3c6e4a3ebd36247d32baf2c1288f3

SHA1
85b18e34fbe0246d5edf2a95483a9f3dd2761d28

SHA256
976c859db14b5fac91a41918264f8f0282bf2384666f82a7d4068351993329c8

SHA512
39639444aad30e6e1a602ce1852fc1f12c8a29fc8df77312a046fced84137884770383df6a7b33fb8093ec24e6e461c0a1de9fc32e83a32aadd4a31004ce6196

Download Submit
memory/216-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1484-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads