5170e9b859f10909167b6d1b0b27a61cb7d361af814e0de764da64e3e1d0ec0e

Analysis

max time kernel
31s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a332a34ba916363bb6e1f07df9b25820N.exe
Size

446KB
MD5

a332a34ba916363bb6e1f07df9b25820
SHA1

ce0524ebfa2172e5bd960618aa9e299e5cbe888a
SHA256

5170e9b859f10909167b6d1b0b27a61cb7d361af814e0de764da64e3e1d0ec0e
SHA512

26c0280386fc7b66b9d13a77dcaa9911cc4d62b654572a51551e4d0b90d22500282c8aa8ef82439570ebd6d4ef3a21c5d5e39ccd3db3cb3cdbb64117bf1e8c7e
SSDEEP

6144:KfxnsiPOwXYrMdlvkGr0f+uPOwXYrMdlsLS7De:W6wIaJwIdSy

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a332a34ba916363bb6e1f07df9b25820N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a332a34ba916363bb6e1f07df9b25820N.exe

Executes dropped EXE 32 IoCs

pid	Process
2424	Accfbokl.exe
4472	Bmkjkd32.exe
1572	Bcebhoii.exe
1216	Bjokdipf.exe
1416	Bmngqdpj.exe
2028	Bmpcfdmg.exe
4812	Bgehcmmm.exe
1764	Bmbplc32.exe
2968	Bclhhnca.exe
1364	Bjfaeh32.exe
4416	Bcoenmao.exe
1472	Cndikf32.exe
1968	Cdabcm32.exe
1840	Cnffqf32.exe
3608	Cdcoim32.exe
116	Cjmgfgdf.exe
3520	Ceckcp32.exe
3124	Chagok32.exe
1992	Cmnpgb32.exe
436	Ceehho32.exe
4828	Cjbpaf32.exe
3396	Calhnpgn.exe
4312	Dfiafg32.exe
3596	Dmcibama.exe
540	Dhhnpjmh.exe
1436	Dobfld32.exe
4880	Ddonekbl.exe
4840	Dmgbnq32.exe
4736	Dhmgki32.exe
3880	Dogogcpo.exe
772	Dhocqigp.exe
3116	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	a332a34ba916363bb6e1f07df9b25820N.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	3116	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a332a34ba916363bb6e1f07df9b25820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a332a34ba916363bb6e1f07df9b25820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a332a34ba916363bb6e1f07df9b25820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	a332a34ba916363bb6e1f07df9b25820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a332a34ba916363bb6e1f07df9b25820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2424	1552	a332a34ba916363bb6e1f07df9b25820N.exe	83
PID 1552 wrote to memory of 2424	1552	a332a34ba916363bb6e1f07df9b25820N.exe	83
PID 1552 wrote to memory of 2424	1552	a332a34ba916363bb6e1f07df9b25820N.exe	83
PID 2424 wrote to memory of 4472	2424	Accfbokl.exe	84
PID 2424 wrote to memory of 4472	2424	Accfbokl.exe	84
PID 2424 wrote to memory of 4472	2424	Accfbokl.exe	84
PID 4472 wrote to memory of 1572	4472	Bmkjkd32.exe	85
PID 4472 wrote to memory of 1572	4472	Bmkjkd32.exe	85
PID 4472 wrote to memory of 1572	4472	Bmkjkd32.exe	85
PID 1572 wrote to memory of 1216	1572	Bcebhoii.exe	86
PID 1572 wrote to memory of 1216	1572	Bcebhoii.exe	86
PID 1572 wrote to memory of 1216	1572	Bcebhoii.exe	86
PID 1216 wrote to memory of 1416	1216	Bjokdipf.exe	87
PID 1216 wrote to memory of 1416	1216	Bjokdipf.exe	87
PID 1216 wrote to memory of 1416	1216	Bjokdipf.exe	87
PID 1416 wrote to memory of 2028	1416	Bmngqdpj.exe	89
PID 1416 wrote to memory of 2028	1416	Bmngqdpj.exe	89
PID 1416 wrote to memory of 2028	1416	Bmngqdpj.exe	89
PID 2028 wrote to memory of 4812	2028	Bmpcfdmg.exe	90
PID 2028 wrote to memory of 4812	2028	Bmpcfdmg.exe	90
PID 2028 wrote to memory of 4812	2028	Bmpcfdmg.exe	90
PID 4812 wrote to memory of 1764	4812	Bgehcmmm.exe	92
PID 4812 wrote to memory of 1764	4812	Bgehcmmm.exe	92
PID 4812 wrote to memory of 1764	4812	Bgehcmmm.exe	92
PID 1764 wrote to memory of 2968	1764	Bmbplc32.exe	93
PID 1764 wrote to memory of 2968	1764	Bmbplc32.exe	93
PID 1764 wrote to memory of 2968	1764	Bmbplc32.exe	93
PID 2968 wrote to memory of 1364	2968	Bclhhnca.exe	94
PID 2968 wrote to memory of 1364	2968	Bclhhnca.exe	94
PID 2968 wrote to memory of 1364	2968	Bclhhnca.exe	94
PID 1364 wrote to memory of 4416	1364	Bjfaeh32.exe	96
PID 1364 wrote to memory of 4416	1364	Bjfaeh32.exe	96
PID 1364 wrote to memory of 4416	1364	Bjfaeh32.exe	96
PID 4416 wrote to memory of 1472	4416	Bcoenmao.exe	97
PID 4416 wrote to memory of 1472	4416	Bcoenmao.exe	97
PID 4416 wrote to memory of 1472	4416	Bcoenmao.exe	97
PID 1472 wrote to memory of 1968	1472	Cndikf32.exe	98
PID 1472 wrote to memory of 1968	1472	Cndikf32.exe	98
PID 1472 wrote to memory of 1968	1472	Cndikf32.exe	98
PID 1968 wrote to memory of 1840	1968	Cdabcm32.exe	99
PID 1968 wrote to memory of 1840	1968	Cdabcm32.exe	99
PID 1968 wrote to memory of 1840	1968	Cdabcm32.exe	99
PID 1840 wrote to memory of 3608	1840	Cnffqf32.exe	100
PID 1840 wrote to memory of 3608	1840	Cnffqf32.exe	100
PID 1840 wrote to memory of 3608	1840	Cnffqf32.exe	100
PID 3608 wrote to memory of 116	3608	Cdcoim32.exe	101
PID 3608 wrote to memory of 116	3608	Cdcoim32.exe	101
PID 3608 wrote to memory of 116	3608	Cdcoim32.exe	101
PID 116 wrote to memory of 3520	116	Cjmgfgdf.exe	102
PID 116 wrote to memory of 3520	116	Cjmgfgdf.exe	102
PID 116 wrote to memory of 3520	116	Cjmgfgdf.exe	102
PID 3520 wrote to memory of 3124	3520	Ceckcp32.exe	103
PID 3520 wrote to memory of 3124	3520	Ceckcp32.exe	103
PID 3520 wrote to memory of 3124	3520	Ceckcp32.exe	103
PID 3124 wrote to memory of 1992	3124	Chagok32.exe	104
PID 3124 wrote to memory of 1992	3124	Chagok32.exe	104
PID 3124 wrote to memory of 1992	3124	Chagok32.exe	104
PID 1992 wrote to memory of 436	1992	Cmnpgb32.exe	105
PID 1992 wrote to memory of 436	1992	Cmnpgb32.exe	105
PID 1992 wrote to memory of 436	1992	Cmnpgb32.exe	105
PID 436 wrote to memory of 4828	436	Ceehho32.exe	106
PID 436 wrote to memory of 4828	436	Ceehho32.exe	106
PID 436 wrote to memory of 4828	436	Ceehho32.exe	106
PID 4828 wrote to memory of 3396	4828	Cjbpaf32.exe	107

C:\Users\Admin\AppData\Local\Temp\a332a34ba916363bb6e1f07df9b25820N.exe
"C:\Users\Admin\AppData\Local\Temp\a332a34ba916363bb6e1f07df9b25820N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\Accfbokl.exe
  C:\Windows\system32\Accfbokl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\Bmkjkd32.exe
    C:\Windows\system32\Bmkjkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\Bcebhoii.exe
      C:\Windows\system32\Bcebhoii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 396
        34⤵
        Program crash
        
        PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3116 -ip 3116
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
446KB

MD5
bfa322e910d7240a95df90e8f3acb180

SHA1
f5d00960f8158c41ca7ff0b0aaf2857fe572d79c

SHA256
6cc2a8da9e64857596c5768f6c144f684712eeda1f7303d9112f73d26113ad88

SHA512
29f610c1812ecb5eac9d76f52db7d3a419e0ae2f34345d46e7eb5bdffc9140017d58e27c3a35678511309da2a1c851ffc5a505d6262e5dba961ae062d1728d62

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
446KB

MD5
07b88f0a1176a77505318d96b63dd2c2

SHA1
9d93b645e66914fca3bfa7432973582c3c9773cc

SHA256
0d81ffa2086fa7216fadd5647d01974d3b419317d40060cb4796cd26a44dd160

SHA512
07d616a87e5fc37d657fcd56c2765f438cd0a953ed374bc04953a9cd9a06f5cb55d4749e032c007817ef3f7ac67f67809edc2021f75de6e1d2f09085351a0a03

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
446KB

MD5
a50067d58c886797d625e6068770592c

SHA1
2c3657f0d2d2d944f473063e30796e46afc7fd63

SHA256
20614e3eaebd67afea47d4dc40f55ce38d4d78b9978e7b1624c9ca87e8361da4

SHA512
a8329b9f6d7301dd46c23dd4ffd262ba7c9420503a71503d4c9efd85ae08d0f87ff676dba24dff4072ebf98091be0381a7437525528aacaf2fa351426f1c119b

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
446KB

MD5
b9a9c88db00ede5ac98ceda8a87408b3

SHA1
50e1bbce9e7789275bc86a4f87b63d75a857b787

SHA256
52f2e6f1ea96c436ca16513efee9d3850d8c2301c2f0f7b1299f8b2fcd6abe94

SHA512
b43c900b34640c3018bf735f965f4df0a4709577473695c8a0a669178a4971a85c69281ce1bb158fd3d65e78b4de8af2186938de01ab5ea42141bedd85bc3f56

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
446KB

MD5
aa82da689d71b881581d752dd03c08a9

SHA1
5c95e8a629c0fefa9bbc43d77919c37ef5c96185

SHA256
0dfc891d585389138f016d9bdf0174b6d59c478147cc32dc1a79d886ddbd1526

SHA512
4be91aea62086a9ebc87d4e89ccfd229be038f462de3d518e9b83d54e912d222f7c78f1d6c8e94217a70b776d6915d30ee49b209e539906c7157f57246d2069e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
446KB

MD5
15614cdf829225d3d0848ee8c770a79c

SHA1
b2e3dfb8fb474e5efce073f97b4ccf2dcfca76bf

SHA256
e83b9d849a7f8c647d8311b1fcdb9c0b96a412d414d6b5dc2fdeb72500e50e7a

SHA512
afd985536df3b2d8a90fb475f4a1053d655521f0b0c606341d1fbd9a9adf5a95bdca60c8f8cc11cd47483cc0573450917d19377fdff7e89ed96214c07fcd6e43

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
446KB

MD5
22eb68cc19298c83cd20cf5cae06fffe

SHA1
4281a3d001307cb7f324dbf8dd76651cb4f15c0d

SHA256
a53890019e9ec32f792d434c06dc75164791e6b0da9e41468c5d6d0486a6394a

SHA512
f73ec25d450946437bfe8e281f1df5104b2785e2d6e9f11b29736b882100491d0d00c4f1b8fb3b4e97f0f83aa33548a00070bc3d250a7ad6b338c9b1940796ac

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
446KB

MD5
8caf6cd0cdb894d3546cad0de6fd215a

SHA1
d2c45352a8797f7d302f9101de310f722e50be7f

SHA256
a4c4b947fef18ac2a054ad34ad2b1fa569651339cd404c853aecc5aa18c97cdd

SHA512
a7e6f646fac97699176ca1cb46db14e0ba51be8cce3cb955c13155314f1d7a38bd4e2bef22a8da89873713a1ab95d4aceda5d6feab76148e02cbabb5601d0143

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
446KB

MD5
76e04f92d74d34dd24470be6eb7cdd09

SHA1
8fa7dd32a22309bee986a3791243d2278f4b8e03

SHA256
0762b42d9c8e41d0d601166b66f4c891e63d110312ab78bae951452d1249da2f

SHA512
aab524292351c15b641831cf5676ab812368cf1a30fc6b07e5663bb73a1a8fac1769de202793bc119d58109b4842f8a6038c01f1050683bac847a63cc3b298c3

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
446KB

MD5
e9b1c79e9d38237ffe4683a2675c3678

SHA1
af96f51e7ab174627dd245be2e56a04777b6e676

SHA256
db68e3efb86f6c04059ac210a393b03ff7ffe0f645992983e66ab6534a46ebf9

SHA512
5756e54644b1f83e40497c38715d24197a1d414e17bd56af970fcc354bd7383906e67d4e3a2551e5b4c107fa4e031523fbe918107c038ed79995e5c2fa74584f

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
446KB

MD5
346710489f2e6f26e843376b74af232c

SHA1
e2d36066833eff4973a517fc396e1a1990eee543

SHA256
6ae712cba7e98061761491e9ae11ab5b7ddc2c7584077b8f22c110e77902df24

SHA512
cffc5c2e2257b9b3f8481af28bf5f3357f9e45c8da87e7136e827ce8066ad69dc0748d6edb659dd1eeedbb0b4197b8f30b41cc87d342b53c70a888d2c4867e81

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
446KB

MD5
560671f1ea3826d544c0f103c4ef9bca

SHA1
537755dac216a8222c38845fd7beaf588a39908f

SHA256
dd937fce54b75fd0e9cec947c8863f5f4b905f2b051f7ab6844f214348e2bdcb

SHA512
fbf632d04908337c7ba1959ff7438ae8f786640306bba9911878027e91b9d96f91d91ce16719afb6a89344b4b870e1c9a54ed8164b3ea1968c200f6cb33c1c65

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
446KB

MD5
a3a6d1f73f06c644806faabffb98ba0e

SHA1
3622db9bed4ba0c4bd129bf00dfc06b48388a720

SHA256
7d1c383598b6fc7d8a374cf6e1a45bdfc2abdb30b92209c4c99d539b28ec5aa6

SHA512
da1c1e8185f0fbe4a77cf68d16f2328731b255adf1f4fe1e7d3c40b0dfa5e914a38ae3b3b6bf9ab384c3a185386bc7662b77d55627f8b747262779a8beeb9b92

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
446KB

MD5
4599e6c14b7e940a60eabfb8dd2712ef

SHA1
b1eac87dce6bad3c67dc537a9f1cf1bbb72696fb

SHA256
ab6fb726bada0c535adac8c5d97398c3bcc40119812d12f2dc9864de428b9ad6

SHA512
a13b5b78d38f77a2eb4c3f4ab821d13a1112ea4038c55ba86f447f98ec3f8c155ef38c4b2405493d55e5ee3d6c22ede5fa12c31701c8cbc77efd146b4289a7f0

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
446KB

MD5
fcb814693369e86e2b7e750011ff2da6

SHA1
a5e8d1f8e8fed109c2554dca6866b68425328946

SHA256
902a2f4ebb31720610ffc217b39804a7ec4700bc18a4ab4671a76110ff74b1fc

SHA512
170a1cf959cf9637588639afac290be29823c3790e026774e61ae66d7b1c7275f4f283f16e819726afdc9265a008607eb455392ef3831e27b4a69e9ce0c9d843

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
446KB

MD5
b5158a45be287cbdcb8455224134dc80

SHA1
6d85be022994f48976cb10ef948e20ede22ad735

SHA256
2482823ad1ea0abd70f70ad306f25901ac884182004ebf27675409ff7dd8a245

SHA512
df5358329ebab9748b57538b2f09b30e5cead9f7fb6dc709d5ba126af1af7ae331fab867db29578baf59388fe4c96d669944126947a16ae8d4d122c008532be4

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
446KB

MD5
ba252a5501f81a2cde5a5bcbb60bf8f4

SHA1
628edf86b3b4fb1865e95dbc9cd7d6949efd5688

SHA256
4a5aa1781184343c38c7937b0fd3300af5ef1427b79b333ef31b7d8abd47ac48

SHA512
360248397daa3f7078b4427cccb351eb7947fb6cc1ee9b3a889f42b41c9721fb13df70b278b155a57dd87281f1c00ea7984041cb0acbc04d11ee299fbefa061a

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
446KB

MD5
765cfdd777023e5106f10ca37d8be245

SHA1
aeb78b0bd729b3bb6b40b3dd6bf6d8fbdd54af81

SHA256
7ccd2ee58f7da90a32f03d739de83ebae379d95b7e014e7102aff89a83708ba0

SHA512
2c34dffada7cfe9bcb2d904abc6a1436049b995d5b775e4791f8b31248140bdb8b9d3ffcffdbd2964b5191e187f8d17386a4dd4fd69ba546499fd3f33da20454

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
446KB

MD5
fc74408ddb3d7c1553f31c7318096e40

SHA1
4babfdf7af622b2d7cb2a80fb9f5989bbcb59f87

SHA256
9bcb3670d026e45d0ee9bbdd78db89e52066c7a5df9c1cd89f86340c51e3e7cc

SHA512
3bfafca448d903e6552c59653e1747a5ae04a988de8a496098fbff076de11b9983c399a730caaacca5dd299960fc28e9b453ef5b01389e1b7f03eb60a0e2dbe2

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
446KB

MD5
07aae22ce71eefcb68334add64df7e16

SHA1
f82c82d11a6a370be2ba87800f8c928ad780d6da

SHA256
752375c508e0b019450280b2084fe56f10d1de1d6c9299278a2eaabe18713912

SHA512
cde4ebaa649fc4ba861304f31afb423f6cf8b60990a94ed09bb70285ec856a02b807ca5254ecc183bfd3560e5cc5f54fc643873b9a09c0b2d17ea13d9b1fab27

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
446KB

MD5
25f940ee36296554dcde431ef86a7ffc

SHA1
cabca61bdbc2ab0cecc7a046d0496baa96a61698

SHA256
eb697f93b608d67cf00ed6e48ff50493e10dd5760ebe6568611038a890105c3a

SHA512
8f855bedb2853582314ce995ac7fef664668b22bc613ab7b679c76919bf05852b24794ffa6eceea166f0dd037f07b893aab08de11e464667a06ff77d417be166

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
446KB

MD5
25b43b61bf092d61f86e9c2a7f6fdb79

SHA1
9e4de7ad94a05394545fb05c76fc54a1fa1b8fee

SHA256
7dd33957479c21d66aee15fcbfd00c97d9ef323b20328b2c8998f3504e8c4d3a

SHA512
39c3c83bc96d4bf839c9ee53dbefcb4378bd0ef6f9ddba0d2b9ae2d9583012d068311550815d7d209e8d80dd17f8870801b8ae5ec48a42e0953f73d2f2b6107c

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
446KB

MD5
561be900c73a531a5609a511d56d8122

SHA1
c1cd86e5c403c50e617e899c448c1eae347bd178

SHA256
055a14be9c2777b477ce091719ab03873bf72283546da7d12ccdb7dbf68a784a

SHA512
f8c4fd991fffe927882706c523866a864c25b6c32a9b11f548df250b2440d7fefbdad1e9de012c6fd7eaa9b4ed7a1eea960e664a4d6b9fb0fbe420003ebd8fca

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
446KB

MD5
cfe790a8c9768c2485c1244ce8f11aec

SHA1
0dbf0f2869b252c32f224ba696a9a15b6b17dd11

SHA256
230d9c7789686f6bc51ff5324a426ac08c931b0573355add709c87fdbf064493

SHA512
8725d13e4c7f250919d2a8bb81d6bcc2e77ed6721e2f6db47173c79f35378a275f99b20197cf50c0581f5dbf897e5535906949dfeee9cc94f03c452b6e176ecf

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
446KB

MD5
c19b894e3b1b60935c40c65455967004

SHA1
461c0ec31aa7033805194a0a4c620a9858347801

SHA256
41e4ae8e67024cca5fc652205d1c7d818f5cd97a9dd3393d9cf8036dbf98a915

SHA512
3c26abc0ce5c20957a6f1a18fc81b8135cfa132a22ad6b0266268fd15b864780e18fcaf08db4a4eae276d5ae53cf2e4da4a5893ea987c429e309bfd2ddb283d5

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
446KB

MD5
8e91d5d9fd58b33865eaab94a04e1194

SHA1
73ec23b0b5e3c3d93f0d2a69d5fa0b04a30ddfe5

SHA256
f8f487f7849825ab2de863aa2882e76754bc9663516e8a10bdf5a7cc41e03979

SHA512
100a99019c7c1374da1b43fae846197bb53a8161d98f2686fe4bad036e7989f7e6445b0e6db2e0541753b3160496eba82a6cb0347b541afd73200e42ab3be4ea

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
446KB

MD5
b1d5550963c14d9430f6e21a927940e2

SHA1
76494d2fa8953f4329dfd3793adc01dcc585bb16

SHA256
d968a0f74a77b302903946c88926da55890af3315f5da88fae9f44388e2f32b5

SHA512
45e65402f62b6084c7fed9a40231a302e076ba51b88d0a3d7042984c928512a16ef5d8a194c1d76f2fa2cccef988dd6b8d9a8757f49126d50fb4eab7b87601cd

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
446KB

MD5
797c162decc6b10154ebf665e9a2ba6c

SHA1
99d2e91604152b14589c92d053819e3250bcffad

SHA256
1c7aaddc91a3cde8a2232abda66daeaf915b9adc7c2eff231fcce9b36c6e316a

SHA512
fd7ecbb02a9f65d236bee81d9eedcda30c24c7b74f53e329740dcea2eba725deb76d68352176cc08ac2e434893d3a786a96ded3345b7ce10223ac988a25dc475

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
446KB

MD5
851cabdcc8793ecac52b854b76fa22b3

SHA1
b877e7b8a2cc6de8adac20d821ea9b65dc723601

SHA256
77d73389fb938ca892210e2c70c3d0529b844188ec233fa64024ce2ed4e9ff7c

SHA512
3a70924f59f576b85c748a9568489a1cb71453118feaf82608b3904dbd54085e2c99b1bfebb343a41b2df0ea869cd91cdf686e6115756aba53415cbdafc44a77

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
446KB

MD5
5a20ba52f8b884b88dee6b755d3d84af

SHA1
08a272885722fca957f055d6ce12ccdf2389c6fb

SHA256
d167e22cd9903326cb65a81fc82333e4efaea56dc956e40fb55e65c56c9a091a

SHA512
984809a5ad588cac2f294f6cb6117ecde4849ea0898e59a5b05945541e5e0c1a017454248963d2962ab5607fc10e72c73bbf66d62179eff9fa8f633042f05b67

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
446KB

MD5
41fd986d8c06cd7a08d62f941adcc49f

SHA1
0bc3475bae9cb198a9e104ddf92e29ca9636838c

SHA256
c490f5d5c522ab9d2bce26165ca970367a1b329350e9bec37ec76a8589caaba0

SHA512
d6ff2981f5148bd17eb88051cace6bb414df4968a6701d9d258437b2e15d3b9cf9ec94d003a2c2fe3ac9d32eb4295232bb55458efe3f5b45934547af0cb39ebc

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
446KB

MD5
d324487bf5e073564dc33955f2d4d637

SHA1
a63671d7204f5dbdce954e11ac251cdb77ae0196

SHA256
ec28cbcd671fafef7f17527d391aef023268b2fbe211228e8fc00300f4a2fad8

SHA512
55e7cbe2d24631f3a8ed247182d7658a60e4e6eb1ef549c479092dbd7e3afc1c77342fb98fa0ff54aca015e85b70f757c9f81f70794514d0a34fc945517bad57

Download Submit
memory/116-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1552-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads