f0eeb9963d11e293d699f25da264951a13ffbff0e64de3ea8cf2cef173319a2b

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8523faf166250390502b79fab2b8680N.exe
Size

128KB
MD5

e8523faf166250390502b79fab2b8680
SHA1

2d2c3786ff04697033fb8cafb227b5356b65a7a0
SHA256

f0eeb9963d11e293d699f25da264951a13ffbff0e64de3ea8cf2cef173319a2b
SHA512

61e7690e80086e3e20c205d7792f948864f912b241396139e7a5a6aaad9c7cb00ade39288b5215cbbb80a3505912c94fa305f09dace14b34f17b501df6b8b965
SSDEEP

3072:W4+9WF1Md0/cBV4SGkTDONd08uFafmHURHAVgnvedh6:N+9WF1Md0aViAyNd08uF8YU8gnve7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e8523faf166250390502b79fab2b8680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e8523faf166250390502b79fab2b8680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe

Executes dropped EXE 32 IoCs

pid	Process
4992	Belebq32.exe
4560	Cfmajipb.exe
3992	Cmgjgcgo.exe
3564	Cenahpha.exe
3756	Chmndlge.exe
4864	Cmiflbel.exe
4248	Ceqnmpfo.exe
676	Chokikeb.exe
3124	Cmlcbbcj.exe
440	Ceckcp32.exe
5080	Cfdhkhjj.exe
2768	Cnkplejl.exe
4200	Ceehho32.exe
4680	Cdhhdlid.exe
3808	Cmqmma32.exe
344	Calhnpgn.exe
4380	Dhfajjoj.exe
4120	Dfiafg32.exe
2352	Dopigd32.exe
452	Dejacond.exe
4480	Dfknkg32.exe
1040	Dobfld32.exe
2820	Delnin32.exe
776	Dfnjafap.exe
4212	Dodbbdbb.exe
2192	Deokon32.exe
1372	Ddakjkqi.exe
1144	Dogogcpo.exe
4308	Daekdooc.exe
3104	Dhocqigp.exe
4912	Dknpmdfc.exe
3292	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Belebq32.exe	e8523faf166250390502b79fab2b8680N.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	e8523faf166250390502b79fab2b8680N.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	3292	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8523faf166250390502b79fab2b8680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	e8523faf166250390502b79fab2b8680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e8523faf166250390502b79fab2b8680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e8523faf166250390502b79fab2b8680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e8523faf166250390502b79fab2b8680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4992	4524	e8523faf166250390502b79fab2b8680N.exe	83
PID 4524 wrote to memory of 4992	4524	e8523faf166250390502b79fab2b8680N.exe	83
PID 4524 wrote to memory of 4992	4524	e8523faf166250390502b79fab2b8680N.exe	83
PID 4992 wrote to memory of 4560	4992	Belebq32.exe	84
PID 4992 wrote to memory of 4560	4992	Belebq32.exe	84
PID 4992 wrote to memory of 4560	4992	Belebq32.exe	84
PID 4560 wrote to memory of 3992	4560	Cfmajipb.exe	85
PID 4560 wrote to memory of 3992	4560	Cfmajipb.exe	85
PID 4560 wrote to memory of 3992	4560	Cfmajipb.exe	85
PID 3992 wrote to memory of 3564	3992	Cmgjgcgo.exe	86
PID 3992 wrote to memory of 3564	3992	Cmgjgcgo.exe	86
PID 3992 wrote to memory of 3564	3992	Cmgjgcgo.exe	86
PID 3564 wrote to memory of 3756	3564	Cenahpha.exe	88
PID 3564 wrote to memory of 3756	3564	Cenahpha.exe	88
PID 3564 wrote to memory of 3756	3564	Cenahpha.exe	88
PID 3756 wrote to memory of 4864	3756	Chmndlge.exe	89
PID 3756 wrote to memory of 4864	3756	Chmndlge.exe	89
PID 3756 wrote to memory of 4864	3756	Chmndlge.exe	89
PID 4864 wrote to memory of 4248	4864	Cmiflbel.exe	91
PID 4864 wrote to memory of 4248	4864	Cmiflbel.exe	91
PID 4864 wrote to memory of 4248	4864	Cmiflbel.exe	91
PID 4248 wrote to memory of 676	4248	Ceqnmpfo.exe	92
PID 4248 wrote to memory of 676	4248	Ceqnmpfo.exe	92
PID 4248 wrote to memory of 676	4248	Ceqnmpfo.exe	92
PID 676 wrote to memory of 3124	676	Chokikeb.exe	93
PID 676 wrote to memory of 3124	676	Chokikeb.exe	93
PID 676 wrote to memory of 3124	676	Chokikeb.exe	93
PID 3124 wrote to memory of 440	3124	Cmlcbbcj.exe	94
PID 3124 wrote to memory of 440	3124	Cmlcbbcj.exe	94
PID 3124 wrote to memory of 440	3124	Cmlcbbcj.exe	94
PID 440 wrote to memory of 5080	440	Ceckcp32.exe	95
PID 440 wrote to memory of 5080	440	Ceckcp32.exe	95
PID 440 wrote to memory of 5080	440	Ceckcp32.exe	95
PID 5080 wrote to memory of 2768	5080	Cfdhkhjj.exe	96
PID 5080 wrote to memory of 2768	5080	Cfdhkhjj.exe	96
PID 5080 wrote to memory of 2768	5080	Cfdhkhjj.exe	96
PID 2768 wrote to memory of 4200	2768	Cnkplejl.exe	97
PID 2768 wrote to memory of 4200	2768	Cnkplejl.exe	97
PID 2768 wrote to memory of 4200	2768	Cnkplejl.exe	97
PID 4200 wrote to memory of 4680	4200	Ceehho32.exe	99
PID 4200 wrote to memory of 4680	4200	Ceehho32.exe	99
PID 4200 wrote to memory of 4680	4200	Ceehho32.exe	99
PID 4680 wrote to memory of 3808	4680	Cdhhdlid.exe	100
PID 4680 wrote to memory of 3808	4680	Cdhhdlid.exe	100
PID 4680 wrote to memory of 3808	4680	Cdhhdlid.exe	100
PID 3808 wrote to memory of 344	3808	Cmqmma32.exe	101
PID 3808 wrote to memory of 344	3808	Cmqmma32.exe	101
PID 3808 wrote to memory of 344	3808	Cmqmma32.exe	101
PID 344 wrote to memory of 4380	344	Calhnpgn.exe	102
PID 344 wrote to memory of 4380	344	Calhnpgn.exe	102
PID 344 wrote to memory of 4380	344	Calhnpgn.exe	102
PID 4380 wrote to memory of 4120	4380	Dhfajjoj.exe	103
PID 4380 wrote to memory of 4120	4380	Dhfajjoj.exe	103
PID 4380 wrote to memory of 4120	4380	Dhfajjoj.exe	103
PID 4120 wrote to memory of 2352	4120	Dfiafg32.exe	104
PID 4120 wrote to memory of 2352	4120	Dfiafg32.exe	104
PID 4120 wrote to memory of 2352	4120	Dfiafg32.exe	104
PID 2352 wrote to memory of 452	2352	Dopigd32.exe	105
PID 2352 wrote to memory of 452	2352	Dopigd32.exe	105
PID 2352 wrote to memory of 452	2352	Dopigd32.exe	105
PID 452 wrote to memory of 4480	452	Dejacond.exe	106
PID 452 wrote to memory of 4480	452	Dejacond.exe	106
PID 452 wrote to memory of 4480	452	Dejacond.exe	106
PID 4480 wrote to memory of 1040	4480	Dfknkg32.exe	107

C:\Users\Admin\AppData\Local\Temp\e8523faf166250390502b79fab2b8680N.exe
"C:\Users\Admin\AppData\Local\Temp\e8523faf166250390502b79fab2b8680N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\Belebq32.exe
  C:\Windows\system32\Belebq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\Cmgjgcgo.exe
      C:\Windows\system32\Cmgjgcgo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 216
        34⤵
        Program crash
        
        PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3292 -ip 3292
1⤵
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aoglcqao.dll

Filesize
7KB

MD5
7dbebf7a0bbe21e5585489e2618c002d

SHA1
f67d06bfd9c493202263f979bd0ac9a0a7751abf

SHA256
e6e9da41924b3f4644d1c65875a1d6b0f2ed6f88c3e357c39355cb170aee43f4

SHA512
beb7768f0735249199ca6c0c549707168191b35769b038ebb46e31117ce07785f0d6ed9ddb37f301bc83dfc6ab7e07d132071e3c29dfe05f5e5220b66122402c

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
128KB

MD5
df658d6c4e126b6b13718b84aac4d57d

SHA1
f6a0d2e48880d8ee9c1688379b0d9d0ac9eba948

SHA256
f029c09bb2b845cfd7231c109ecf0219719a1557166c9f915806dd6c57ed72bd

SHA512
a887c92ebe9b1c0e413cef3d8d4d2aee195e5f7f78c116ccd03509c7982f753325e8e2230aabf74598f21afbf889da65f1b9b3129aefa30f0ffdb7412813f094

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
128KB

MD5
ac94b2dd5b949def50acee03cd097775

SHA1
a8c0732d3fd12f32547819e65667019dd40ea2a8

SHA256
9df840a52af7fe823256a3fd5351f2d6be176567c09fca3ca20f594d2db875c9

SHA512
7fa2c2c9914d477298e08dbf425538b216eabbd6186a8a04871a9c595d0aeec0fea39ee811f92897ac455935adc77ea27ca169b278eb222f19c556104bc476ec

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
128KB

MD5
512fecd3a6894103868a15195c429c1b

SHA1
10ebab30039729c9d59dfc19846a377cb4fea568

SHA256
38d26353fe14800e01b8d19d9cf02b19b6941928e5641bd40c18147e162d63ed

SHA512
993960efb96dc54180bb7548b81f1b118a4beaa701b2bad9d767f2ba99463d8843959f25cded3cd2a7319542aab0c200d1ce3f781afc777469e54ab50c416e5f

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
128KB

MD5
1b5c59acba4d3195f0ece12fe7091f6d

SHA1
1a1a84d3a55babbaf923275a6212699de879c892

SHA256
8820556016d8a8d180967089c574d7d57c4c9a3dca4f463d550269fbadfdef64

SHA512
0267f1806687f23230777b877f9d4a3ea7b17cfc8e880e5395980fa0317b0beaf8e31a21613bcc61ba35b4ca4c882821eb1ecc6895021d5375efe333d2e72d76

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
128KB

MD5
f49de2debca5ec8a8f3d5d5637b7326b

SHA1
12a5685316ed6eacd2d0b338d05155b58c3604a4

SHA256
af4803003b045345a24cce0ea22fe5492553e4d503a65f622f0bc9b9518b9b6e

SHA512
3b517670804e77e8cb29236e0e3fbb55eef9c14d6f1ae4393687a5e9ec31c97b8988a29e269db5ce58613494b3a98ac168c0f3e7637c4c11469da8d93c62a98c

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
128KB

MD5
70273efb91ff53cf5f777848e11cc4cf

SHA1
d5952a133e51fb4a2e2f3d345641fcaa2696f485

SHA256
3eafea0ac9beab48b07188dd331196a5d3423dcff4674fde06a85df0e800ad95

SHA512
205a47c92358ef43ccaa7ef1c2bc6648e5e091e990e009c1d9d8a1faab331344c6b01680eb3d666359361100c23ef1629297c5f7aa1a3b36b4bb69e4f5d31445

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
128KB

MD5
6b2c418a19119340d74a4ed3615b40c0

SHA1
3537af595bfb92f5d4cebef22503e4c78eded1fd

SHA256
44e47ee0069e7f243fdbc8b4a623f4b33377787cbe4775b3f1940bcb1724dc7f

SHA512
645d6b31395ac03a591dab18a221b1b9cc3e58fc601e9dcfc94848bcc60ef3a321636458120a6fe67ff88fdd50e03e1784e9fd35a23451b8cf9919e61aa57950

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
128KB

MD5
b296818b7ef624bcf2693de581560029

SHA1
b8dba40f6534b3a8912092f7cb282c1291c4b2ed

SHA256
0331efa07123662f2ee9c83a28a81a9a7d0f3b1b41d841516a3ba23f1556b79f

SHA512
8a820cdf75e9d864d77a93e2590443bd1b6caa4c5e49165634221105e25d9b82e51f7f48f5264d7d9d7917301f612fbb65cdbfa5ee99a848c7a9249cc195ea39

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
128KB

MD5
654e26505d92b693e38369555893f73d

SHA1
7bb014598a36d3c2ca37c20278f2aea46ae18ec9

SHA256
34ba3d0cd380d9b85e6efaefa69719bd7790bb21ea6450c4b9141152f2e61fb9

SHA512
1ec2ce780686e79288d1d5679235a57aa49cc8e308f605c41852caddebe271d3f7201503aa596eb61d8d874d57f18b5e0cf4d3552cb7ffe695d405003cc723cf

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
128KB

MD5
0112fe7b91bc086c7ac0d4b74dc7ea9c

SHA1
a33d9415dac104d1f64747e274d9f7d3c7a4d3cc

SHA256
19ff07cd2fc6dfc9f333aca9c91e1eb923222bfce3f3cd8971811930872dcf9e

SHA512
a5740047df20fb40022d6077aa6b21857ed2522bb48ce46766f6de354fdfbedc2015c05639644d1393d098e1a29ee84e4edb915ae09e9ef0efe40c8e68efa5fc

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
128KB

MD5
a757d484b9f048ec1051b188bf9ef527

SHA1
193e09740bb51066f863a0ea8a2a656cbab06c03

SHA256
04cadd74709d9c3a5cb1fcc412e22e847cec40dc01667fc4899abc0bce0f8fc5

SHA512
309c8a31d082cec5ed96bc1ba959184a5ef9e6e4c680134ced82f98ac0376aad1f3d0a7bcdf1692d92d9ef7cc3956af35b09062121149e06e37b7eac70e5c191

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
128KB

MD5
0e3527fce5899f27df5c093e15e57b63

SHA1
84ec619bba955135688a071749e08cde4da507df

SHA256
6d9fca1a29464a9dbe7606e00009fd222aa157688d27349ed0a1180685fd778b

SHA512
acb01058d8e40ce4abd523471f5b1e905279455f483b0c3df00b6a15345d4d99d46890337694bfb56b44238d1de0f9a16aa34c411ac97c1bcb6308699e1af4f2

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
128KB

MD5
071f35e1426e51ed37723d773c080e51

SHA1
e3b7d1cf57690ea579813ea93914d3bb600d8025

SHA256
72c2678f84e4cd963ab44a1cf306049b1e7e1affb31681d1a34458cf8fd0d207

SHA512
6b9f83a4fb4e9977cbd53455b498dea8728b5be73abb2c3fffb24bc4e86e5636f08cc4e8de9baefc2a794213f5b3649407558a6804463dd71b28e9acc3a9538d

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
128KB

MD5
4a33da51080154b265702dbc48258c06

SHA1
e3ae5af9f64d4087f33c65be3066d71d27331e75

SHA256
fd40c25565564c858ec4e9882761f094c62dd6554a707d151715e43d15d28bc2

SHA512
762857571d9ef3b270ddb2f9188d28c2dbb947e4294212782535c6dc1bd9e32e5b9c88d90bf437eb4431654b9e6525629c8cc3e3b7eb36b6392845a058ed90d1

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
128KB

MD5
224d9e1a3069d4f132e4dd86abbeb4be

SHA1
d1c122aada662e3a33f137b460edf115326490f6

SHA256
da702ea2f56996d36ab5d7650fb1da834c8aa4e11d0f1b91e185f7f34b7d02e1

SHA512
7e53f0c20ea1eb82456580abf90c5866d3ba5b31c174240da7e566f81ba7d5757b5f6c4d5fc3aed615433b5c68f5dc1d628e693a3ad2e5de051d1c797ca28625

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
128KB

MD5
670b1c5f6657f782f2207fe2e13db23d

SHA1
ecfc1ad03203ef7c07fd2ed1f70b0860d7adf640

SHA256
bd4af0b236132686464a16f667d3e76235daf1894ac4ae838514050f104db400

SHA512
4824eec3313cb86032751ded7f22844cd95df31a85e9ed8b8dbd23afac1ebb5d9f513383017f5fdc4ee122ca280bbe9b1abc4dd39b589e98a8ebb29ac764d598

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
128KB

MD5
e5784ec839630a6da09e12c91ed89b42

SHA1
1e2a1c273e72b4cbf0cf9b09c68696696bbe5490

SHA256
ad3431583fa5d24a92ef755a550e750b4e6f0232398b6e57940178ade90b2d70

SHA512
5761f984937a4558e0e9b9f5181e372f90468471481672cb155c736f0e488afb92d9ce2610e7e48f6788008636c692295c9089fbbd412698aa81b597630c943b

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
128KB

MD5
99f929d26b4c0a3196e2d261c788b3f7

SHA1
0770b4c0c603a4d42d24a5ddf103e4cdae12aec7

SHA256
2ffbecda000aa8bb78bcad13856d20e8e3dbfb34340437ed2e8bc19ad73a6cab

SHA512
8cbe9331a42f42034bc497fafc25a1d63aa7fea1e5633172009b8680e7fc6b2156dc339f773157d7bbd029eb1a13abee3a05ff210522ddb2c1019394badfb3ca

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
128KB

MD5
b7d88893e5e3b653ba8eaf2cc471b82f

SHA1
39159a8b926e498d155bdf7bd0494cae93e29f5d

SHA256
ecf1ca8a13ef167e9c2ea4e2a43df83e39e173795f8d088452262cc850090773

SHA512
80ffafc418f5c53fd1cc2a23ac7a48f6e7ee08a8a06b947d49c0bf200359d1864daca7cc077e56a4070150691418e89a51f90f0af035ea7d72bdacf88f8f0dfe

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
dda4ef6d1ef354c89eab431b128f5580

SHA1
0705a2d0204ff269ab7b467a334a30fd4318e53d

SHA256
14cec605fe5d1b38984332c974944b72f667364d118ffdc710de29e9fc7b1eb5

SHA512
40322a743fba2060660d5491c673255ffe85e068e54dea695151141795f413bad39a95d201e3f50f08b5b16c112abaa1bd324ca6f2bb67e6975a966c6aa8f283

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
128KB

MD5
ddc833834201e0f918feda41d0625f64

SHA1
efc726fde31c76e13f23afbee8febdeef86f7de1

SHA256
6738603f570f0c85a9d158674b219fa90cd486bf01cc55db0535884f003c0147

SHA512
5efe43ee1052d2f780c5c3e723692b0a28efa40c9e01560d6deaf74a5a36c7844f74ba090bf4ef3b2cbfe1f634ca6e278d2b467d2b8300f1479aacdfa0616dc3

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
128KB

MD5
21045e99e248e77fa0776195cb6ab403

SHA1
5269cd47876aa01a88be6abd6be98d8c3eecbc58

SHA256
c6c3fc9101bc8847b9c2b4a6459e1aac857e2a41a1326b8162206042c8f83ff1

SHA512
3b8c27c997ad59e73559b8044a2b137388ffa95aabfda19f8a5b8f7fa30f044330a3eb79de6a3c8e5384e5821ad1f1dd442411bf1fedb6c821b958d550543ab2

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
128KB

MD5
aef9c7c2f5f0d315e71966822f33a74f

SHA1
02ec97b3bd9aab155afe22b0cd5b0dd9226a75ac

SHA256
dac0020bfe2bb3a628aa2d91f16ca5ec6b6ebd3c1ad7183493ac85ea982a54c6

SHA512
fb19936526d74ffc4b5e74d9a10cfab4b807228bbe1f189258ecae16c8907baf108e0a817dfc915fea0fc023058b639e0256474b64f987a4f84e46fb19285a5f

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
44c9f03d8e386c57cdfd32dbde2ec027

SHA1
a1a2e3cc1266642906a7f6c25c9c48b6cf11b85d

SHA256
23997ab58edf4733505cb56df8ef4ff5d567f9794e2593ef9a1dcb63336e7cbe

SHA512
dfbde96f16a8de85a73675ee74d53cc06f66521f8dba171e25055c9bfa20249bfe6854e251d76841a62f2f2c0f28c4e632ff8128cca2009abe055774319a0a92

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
128KB

MD5
3a9d0b09c81f701948084de029789081

SHA1
85979599b9119fbe6d6475e080d3dd2c9304ea6b

SHA256
a115488a2099df304e0c4a63ff0349ad415a9ebe348eced7a115683afc6fef9d

SHA512
b54b78f451778d6fb0bd0cf3b7444d33226802150365a77a0aa84dbfe2ef6b252439ec6f3b618417f6d6720150e62522821511834b6820c7b4e29b1ebd81a601

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
128KB

MD5
ae58ee7d5f2e70d9dc2acbf29da276f5

SHA1
56389991beabbd675f15a159bfd1e17c20c9f3ca

SHA256
7298ddebd03783f371ad137b22bd0cfa99c497e979f8112ec42b0eb2e73c1e69

SHA512
67fa0a03c2bee137cf4877b5500a7b2d8fbe1e8a13bd577701170c207676a0d9574db4c6191df8f06dfdeac8e3e7711d395dfdbb98ab5738c58a9d34af167095

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
128KB

MD5
197b49d51be5fc9db9621364ed04d560

SHA1
4909628118f0d94b5e96515dfdb5f0d1b43ca270

SHA256
b4f776eeb4fd9eee1d26f120c6657cb387416f84aeb30a307637681eec102d6f

SHA512
699617b45177101af21a042352da6a743cba224e5a55e3efa828e047aabc4af37e58a935540e62bba869569ff57c67ff920cf79cb17315312b198cbd1be6c6a7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
90335f105647871117d39056fbf46c8d

SHA1
cc46aa3ae9c87a6ba80d2edfa3ec95edc0791e7f

SHA256
9c59b17e17efcd419f8e7b7e02243b72d3d9e2fa51cae2b81aea9db477d5c111

SHA512
324852b7982752b56cc52ba6d67b953b07a3edc71bd86dd113780b30b0dc2f2d332a03d07871837620022032a2bef45e1f933e469b94b5be869ed32aaf967200

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
128KB

MD5
d078005c31f58a00dc0fe8fcc48fbd8d

SHA1
78312198264131eb36b56dd35f4d7dcb84ef2fe6

SHA256
f798c6794dcd0c4581785262ba00053692b3fc35081a78e83e7c932d9b0ff651

SHA512
13a33584f9eb78865db276b8c0777a4a2d621707994023fcb70ceb8ac3b17959ef9bd6973bd786a27ef2d64b2744da4e8a0f5cf3e358549f53d22a63ddab1023

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
128KB

MD5
3d6ffba3ae2c45747a418b5b1289f1c0

SHA1
b57f97cc07615a25073a258e61bf169d1bb09b96

SHA256
80e8162dc5f659b04b42d9951eb245b673581b4ce7a010efd8ec61a1d6b211d8

SHA512
c76e2cb29f34faa842aab1990aac0b6aed7c676a0652f189f7eb7ee96ef033e226c0d0b323b70acf66ee8c6c7d90d85a24e06674f731c4c577c1fa871f1846d3

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
0ddff3f7d22ffe591824e19aceb77bd2

SHA1
4059db2e0fc74b330d4747f79af5e4a45de16b86

SHA256
0016ae81137c8c71668330e74fd7b9e2c0afdc1c1d13633ccce58e5f086ab7c0

SHA512
0fa0549741923d45430a1e9383efcd0030e4b7011ad7306cea349999920ebe09d0787d94c7736fc57e2b3f0e7cde4cc8e320e1f71bf836ae2f76197bedda7eac

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
128KB

MD5
d316c83aa26dd5ed19da85236f824d50

SHA1
4eb583920af34668924e85df27950086f3a2f1c7

SHA256
c67de6b1de05690506756c50fe1c6ff34354956b9c04f5ae59234a17b32bab8d

SHA512
71c92b58bd9ea1780847da0dae5573dea8d34ee5bc272a290277fed4c012d573fb415ced37c570c1e3da59d23ea62346143a0c6e05b02f3813220be854d2c9f8

Download Submit
memory/344-127-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/344-272-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/440-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/440-277-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/452-269-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/452-159-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/676-279-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/676-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/776-264-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/776-191-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1040-267-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1040-175-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1144-261-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1144-223-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1372-262-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1372-216-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-208-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-265-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2352-270-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2352-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2768-275-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2820-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2820-266-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3104-239-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3104-259-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3124-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3124-278-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3292-255-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3292-257-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3564-283-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3564-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3756-282-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3756-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3808-273-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3808-120-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3992-284-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3992-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4120-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4120-271-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4200-109-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4212-199-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4212-263-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4248-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4248-280-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4308-231-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4308-260-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4380-140-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4480-268-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4480-167-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4524-287-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4524-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4560-285-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4560-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4680-274-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4680-111-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4864-281-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4864-48-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4912-247-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4912-258-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4992-286-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4992-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5080-87-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5080-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads