a37c73f41782c825b1f44f95aa657f72f07f485380dd3fd327994b52923c8750

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Size

100KB
MD5

eaa74c7a8999fc2a8a549a5eb9bbeba0
SHA1

59f3f26496e8276af2dccd7ab6ad70c5e1bbcff0
SHA256

a37c73f41782c825b1f44f95aa657f72f07f485380dd3fd327994b52923c8750
SHA512

eb3d1f320875a65f5118468b3e14065ee0433f7155cf34b8e051c80bc918622da5c28b784a535ab988a49e2439816c15a077eb8a5cacfba2189e9bd6d3c02436
SSDEEP

3072:tzbJB7594Hkcl0wC7HwHBYLpQ/d5Qu1/gb3a3+X13XRzT:tBRL44BaBup2uu147aOl3BzT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe

Executes dropped EXE 31 IoCs

pid	Process
4488	Balpgb32.exe
3476	Bcjlcn32.exe
3956	Bfhhoi32.exe
2228	Bnpppgdj.exe
4868	Bhhdil32.exe
4136	Bmemac32.exe
3512	Cfmajipb.exe
2872	Cndikf32.exe
2164	Cenahpha.exe
1348	Cfpnph32.exe
4528	Cnffqf32.exe
2860	Caebma32.exe
4716	Cjmgfgdf.exe
3392	Ceckcp32.exe
3488	Cfdhkhjj.exe
3676	Cmnpgb32.exe
4584	Ceehho32.exe
1272	Cnnlaehj.exe
440	Cegdnopg.exe
3888	Dfiafg32.exe
4832	Danecp32.exe
1864	Ddmaok32.exe
4888	Djgjlelk.exe
3176	Dmefhako.exe
1648	Dhkjej32.exe
4164	Dodbbdbb.exe
664	Deokon32.exe
5108	Dkkcge32.exe
5012	Daekdooc.exe
1808	Dgbdlf32.exe
2956	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	2956	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4488	3952	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe	83
PID 3952 wrote to memory of 4488	3952	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe	83
PID 3952 wrote to memory of 4488	3952	eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe	83
PID 4488 wrote to memory of 3476	4488	Balpgb32.exe	84
PID 4488 wrote to memory of 3476	4488	Balpgb32.exe	84
PID 4488 wrote to memory of 3476	4488	Balpgb32.exe	84
PID 3476 wrote to memory of 3956	3476	Bcjlcn32.exe	85
PID 3476 wrote to memory of 3956	3476	Bcjlcn32.exe	85
PID 3476 wrote to memory of 3956	3476	Bcjlcn32.exe	85
PID 3956 wrote to memory of 2228	3956	Bfhhoi32.exe	86
PID 3956 wrote to memory of 2228	3956	Bfhhoi32.exe	86
PID 3956 wrote to memory of 2228	3956	Bfhhoi32.exe	86
PID 2228 wrote to memory of 4868	2228	Bnpppgdj.exe	87
PID 2228 wrote to memory of 4868	2228	Bnpppgdj.exe	87
PID 2228 wrote to memory of 4868	2228	Bnpppgdj.exe	87
PID 4868 wrote to memory of 4136	4868	Bhhdil32.exe	88
PID 4868 wrote to memory of 4136	4868	Bhhdil32.exe	88
PID 4868 wrote to memory of 4136	4868	Bhhdil32.exe	88
PID 4136 wrote to memory of 3512	4136	Bmemac32.exe	89
PID 4136 wrote to memory of 3512	4136	Bmemac32.exe	89
PID 4136 wrote to memory of 3512	4136	Bmemac32.exe	89
PID 3512 wrote to memory of 2872	3512	Cfmajipb.exe	90
PID 3512 wrote to memory of 2872	3512	Cfmajipb.exe	90
PID 3512 wrote to memory of 2872	3512	Cfmajipb.exe	90
PID 2872 wrote to memory of 2164	2872	Cndikf32.exe	91
PID 2872 wrote to memory of 2164	2872	Cndikf32.exe	91
PID 2872 wrote to memory of 2164	2872	Cndikf32.exe	91
PID 2164 wrote to memory of 1348	2164	Cenahpha.exe	92
PID 2164 wrote to memory of 1348	2164	Cenahpha.exe	92
PID 2164 wrote to memory of 1348	2164	Cenahpha.exe	92
PID 1348 wrote to memory of 4528	1348	Cfpnph32.exe	93
PID 1348 wrote to memory of 4528	1348	Cfpnph32.exe	93
PID 1348 wrote to memory of 4528	1348	Cfpnph32.exe	93
PID 4528 wrote to memory of 2860	4528	Cnffqf32.exe	94
PID 4528 wrote to memory of 2860	4528	Cnffqf32.exe	94
PID 4528 wrote to memory of 2860	4528	Cnffqf32.exe	94
PID 2860 wrote to memory of 4716	2860	Caebma32.exe	96
PID 2860 wrote to memory of 4716	2860	Caebma32.exe	96
PID 2860 wrote to memory of 4716	2860	Caebma32.exe	96
PID 4716 wrote to memory of 3392	4716	Cjmgfgdf.exe	97
PID 4716 wrote to memory of 3392	4716	Cjmgfgdf.exe	97
PID 4716 wrote to memory of 3392	4716	Cjmgfgdf.exe	97
PID 3392 wrote to memory of 3488	3392	Ceckcp32.exe	98
PID 3392 wrote to memory of 3488	3392	Ceckcp32.exe	98
PID 3392 wrote to memory of 3488	3392	Ceckcp32.exe	98
PID 3488 wrote to memory of 3676	3488	Cfdhkhjj.exe	100
PID 3488 wrote to memory of 3676	3488	Cfdhkhjj.exe	100
PID 3488 wrote to memory of 3676	3488	Cfdhkhjj.exe	100
PID 3676 wrote to memory of 4584	3676	Cmnpgb32.exe	101
PID 3676 wrote to memory of 4584	3676	Cmnpgb32.exe	101
PID 3676 wrote to memory of 4584	3676	Cmnpgb32.exe	101
PID 4584 wrote to memory of 1272	4584	Ceehho32.exe	102
PID 4584 wrote to memory of 1272	4584	Ceehho32.exe	102
PID 4584 wrote to memory of 1272	4584	Ceehho32.exe	102
PID 1272 wrote to memory of 440	1272	Cnnlaehj.exe	104
PID 1272 wrote to memory of 440	1272	Cnnlaehj.exe	104
PID 1272 wrote to memory of 440	1272	Cnnlaehj.exe	104
PID 440 wrote to memory of 3888	440	Cegdnopg.exe	105
PID 440 wrote to memory of 3888	440	Cegdnopg.exe	105
PID 440 wrote to memory of 3888	440	Cegdnopg.exe	105
PID 3888 wrote to memory of 4832	3888	Dfiafg32.exe	106
PID 3888 wrote to memory of 4832	3888	Dfiafg32.exe	106
PID 3888 wrote to memory of 4832	3888	Dfiafg32.exe	106
PID 4832 wrote to memory of 1864	4832	Danecp32.exe	107

C:\Users\Admin\AppData\Local\Temp\eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe
"C:\Users\Admin\AppData\Local\Temp\eaa74c7a8999fc2a8a549a5eb9bbeba0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\Balpgb32.exe
  C:\Windows\system32\Balpgb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\Bcjlcn32.exe
    C:\Windows\system32\Bcjlcn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\Bfhhoi32.exe
      C:\Windows\system32\Bfhhoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 408
        33⤵
        Program crash
        
        PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2956 -ip 2956
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
100KB

MD5
8af807c4879f6818265a75a91c9d8601

SHA1
275272cc0b7da15d1c60970b0aaa95bb37f3d330

SHA256
4df6d0429be8f2ee778d6b7d5c87eb465747cfb5409d0b22a2fc36a683d61ac7

SHA512
d08088af9647dd3a35754f7776943097812eede4712445d666310680d81748f1e6909720495227caca78137a6094c2ffefd3a120efc61fc105355b21a17ad2c9

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
100KB

MD5
6689fcb510d7c1ac738b8b3c7ab39431

SHA1
19bba87d6048565ee4a9c3f82268d826fc3dcb9b

SHA256
c97a35d6f8b561844ed64e43f562a654752affea71665ff01dd11491d7dc0cf2

SHA512
d2da53cabdc7b55d7a8d269d54e60a3837c8e45066c4754750aa1509548c69a1fa20f6ba3b477ce0cba0b5b8e77f1b46db4fb146128fe6a30552d48cd5737458

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
100KB

MD5
5efc8cdde470fbf2fd2ecd328ee480e2

SHA1
49249e78b98b7a567a653af15bead6517b14a86c

SHA256
95faf0c25d2babc2da7b99168e94492b0d0548b340514b098b38bf8fc48df737

SHA512
85f2a931b8accb9e5fae178dd374e31f0422594d5506fcc14f2fbb19143adfc1e129dc60e20ed5825d9b2017262579d0802bd5038d2b7b9f76ab8c6842887c8e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
100KB

MD5
14707096a9fd4b20934be7e2bd0ce6b4

SHA1
7cd5ad9bb552a817f46831d967e1343b5f626cc5

SHA256
9ce396824b9976e72d21234acdb6a1eb561f24c726fd0108caaf715e4ff9fc04

SHA512
47ae1b1bc3fdff47ead00a7b11b7baf5ad1db54a67b50ecfdbf181125fcb0f75846d03a4d8083ff7933217a190b5f53097c313599fc60f9a3e8a1bf9fba0b8ae

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
100KB

MD5
17061df20b69a348261c9dde145b6aca

SHA1
465669fa19642fd15226ba4406bedae92de1db22

SHA256
c6316fa76aafc68a63204bc21aaa3a2a2208e23b656463a7f6095056af1d6de6

SHA512
b580143af6493c087f1e33118111c1c71603f669402e48727e74c520246c25cd07005d56fd0e8ae8e9e85a0d6891d9d1ff61ff39f905084658340bffb1f84c20

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
100KB

MD5
5051f8c3f6ce5e0e07f5188dd2e9a30f

SHA1
7a99f4b43faedee9c42247f82453456310248eb5

SHA256
7c639d498ca9a4dbc9d3f43a9ad4227284502ad45bd9490fe3ce63b883dbb237

SHA512
601540b9686a9585d04254035ce0756a904fe683d64fe0b15f76b857175b2b363ea627cab38d08d5be1599038d1b36254a44b929898e25cb593aeb86a1eef1b3

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
100KB

MD5
bdad1c29be55ebf960f2c52bf391701d

SHA1
53bd2a972ae82446627d274e71f492ab0d07a447

SHA256
48f02b5598102299eedf7ad350bc71b6493a875754ce1c14d3292510d7a84816

SHA512
2b8314b05b96f6496023cda6fed450aadfeaf36fa7e81230e2fdc14efbff5ee228b41749078865faca9c0a7db9226a81d354ff3a25960372026519c4595ea527

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
100KB

MD5
395fc140e926eeee28c615843f240039

SHA1
0ebd425f6d042de583313c715f0d7f5fb24b720e

SHA256
165eb65981ea692e42b1bb1cd62fa3980d9541798ef6328fa37c63367ee71af5

SHA512
6d5af2edcdd94d86f6435ae9accdea577fe477af9d0ab5bdae647546c2cf2ab89229942d00dbc1c69f59cb7428c69c516dc8ca676e4635cca81c23df4e8aa4ef

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
100KB

MD5
a8ab8f842e74a2753628deb6b3dbd412

SHA1
dd022a3fba91dae711abd62088011fd58fd27d87

SHA256
21b20b2d37e0283befbc33eeff39277fa5e5ab11aaf53e634cd1733429172f1d

SHA512
d96da395c00f63fa1b276b11d5dae8457fac5659b22eb36b033c406aa50fe5cb50223fbf077ec1f76f29f788561b5c0c7ed3654d0700a726da81d59bbc348e7c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
100KB

MD5
c6cdd69ad55d6f3af4d2f7f85bc4d1c0

SHA1
18afcebe395287ad40f521dfc2f295379aefc7a8

SHA256
b8badcee292a94258e8ac16b0f9e0d8bc878209423f4f3309385925730e1be8c

SHA512
32cc64af0c699cd12b0560ee33a8759198943c718f563d040a7cf0cc4b41694c656a441ee8789c612af1c143a56a2fa6e3b1aed956ef2606a7c43662f0ce7248

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
100KB

MD5
387f48e9cfd8dfc38c5188b349336520

SHA1
58ee06548563765b62de6986bac6300116381722

SHA256
954eeb38418526004a21ebabbcdd89e86581dffc711cd1e38d8af13f3f0cb288

SHA512
a6aa3186da426e5e6ab691917ba8247041dbb266d608fad1ea56c63b2829106d246e1fd110915c5239efa7efe1d79b24c72418b3221ad74e21e0a1bf8174cc77

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
100KB

MD5
e8dd443bf05ddfd95699e3e473a41619

SHA1
539438923b172d36cfdf39d6a9447941a0975ef8

SHA256
561ed383c11642164c21c5feb7babb1e3907b5b05e4dc9ee8b94861423e42213

SHA512
7b715ef714d9ff4f73cb372e339f3575ad005512be14c297a66da62b57d7ab65fda69cb443f92d27773906ce8a10c52ba3ea746afc6eb60e2eee1a34ab54199b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
100KB

MD5
03f6d4db4f8dfbcbb1218198a6b41a96

SHA1
b3c13f1310a2fbf3cc2e1eafd12ced7e2bf97d9b

SHA256
13ba79f22e51b7ebfcc579a60629a45ce1678518add2f0d64c3b30587124fa92

SHA512
07993ff4e3baf9fd08b1616ee258665cbb8c3e8cfae7c18205e923505788659a6d21775357e80befe9debef50158125b2378611d1cc1b1d7f1bcccc02fcec010

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
100KB

MD5
e0a4904003db1ecaeff7450434abb723

SHA1
7528f88721eaadd5290497e73f4f6a0fdf9bacb9

SHA256
3cacff6dd76672da437244960a2ecbc900048ad9ad74cd41dd5fc981a4f92fd2

SHA512
1d81c4ee10a19d8c710103b6c27c840c86352bf53c5082038f6b074f55660a0ab8d99d57f1fb9361195ad302086aabee1ac325cf583d64cf33126c2ddcb72546

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
100KB

MD5
ef854d80b6fc042edd9c96b3d6cf06b3

SHA1
0fd9097a7cbeb94dbbce5a4d61aa81d0dfca2e09

SHA256
eb531aa0c70fe3a560d50bc8f0f05ac854423f5f2d611a33c4fade23bec1e377

SHA512
2d5a3429e47aabbcf9820e86a9bf17d7b9df0f453f0778bd820b54859ba69e4a59713f7ef946edb3c48883e12e4403bf29828bb5a844329357de453c91a03cb0

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
100KB

MD5
c96740118b44e7347682c97c8cf84f47

SHA1
901a00737d039f99f03d64a3dec5b98c9613e131

SHA256
b6093bf439b80438c9ead8193d9d5b4d87cea4f5079871d1919f85a034d9beb7

SHA512
0aaf5892e933a68eb60ba2d16a45d35f3e35e66da5121041387de123e40272b740f14bf47516cd8ff884c5c135573e5faaffbbcbc99814984800c0253dd1ad95

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
100KB

MD5
55b38b7676512755866428eda39f5ece

SHA1
069710b43d6c2758921de65ef1f407fe1209c2e9

SHA256
12d3f4c152fbd1a1292926f770c7a84cf3e105804af90f06b4e4dd5cbc2b8ca2

SHA512
912f587419b1d88323475b9561caf9fad58fdfea7c99bc1dcb0d38bfdaa95673589ddbccd2149a263d49af7ceaea9a6e6df632385fcb730b9ac687380b924ed7

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
100KB

MD5
6490ceb37c3213342c45adeec87c3fe3

SHA1
d63559159d5fe86571765131e8febdc5a72728f3

SHA256
1af8bac689ad8a2d9925f7b2d4bfd2f1add35c8408aee84a95c6a223df31b8b3

SHA512
88b226af5f64028eb677c726c2f4b7c2779323cb43a09e3bf712be42ac8bb9683eb7dfcb0b9b41f85bd84530ed28b6051dd2bada4afc1ccfae64a0426471f4e1

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
100KB

MD5
85af1a419a2928c76fad2753c3f16197

SHA1
d8e9c610ee6bbd446c45c98457ed686bf00f4997

SHA256
54aac3d3f2b2adb8ca4746aae97acc35c0f1dfe6d56cb55f028b3aa936aea148

SHA512
0f1c9f873e877ee67e5794181e37451de22ca2067b20e7f029707488be7a84701d81527333f3097dd7843a1a24565a2d72645b63d176ea9096779678e7b26aa7

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
100KB

MD5
cdb992a791e065d3d76bb05d38678700

SHA1
b50ff20390cbfb18e5b47f4e3ce56b5339658eaa

SHA256
ce6f357d109602fabb4912621c05f83d9cd4959455dddb29d6ac3439a1d8060f

SHA512
8d2df0a20e0d8e68b1a18aa1c44b226fb176e5c5d298cd5d61ea21e69467c848054f7692ecdb088ba8b0d1704a3ed79ad203be43f87914cbb8a7b32f6ff7ae30

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
100KB

MD5
77ce8e2419e6eef66904578a1c246713

SHA1
41d33b25c26d914f31c064e958bb2b52167c0146

SHA256
27ceecfc4f53358604d9baab57c56430504ab2884eb106fb3ad45e34f5e5c9e9

SHA512
ae1debd1f0c97beee79df8abc63b4b6bd38c072c1496334058a210bf86aaca64c686e61087595ffc16d4716f4e34a8698258bd058dfd01a01445e78699bf6757

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
100KB

MD5
de8a22ba01ac53bea5848d45bb30b324

SHA1
3b6fe8eece4d56b83febaea4dcc91301e0b811de

SHA256
61aeb72c92b70cd1c13603eb0dfb1b9cc5e23d95b262f999d1fe8beea84af27f

SHA512
83bc028fdb90e24f967d60154074608b2a08ebba6cd0840cd6c41e63d7006820d9b827d0b65bedc58533b2995a931a03a5e29acf970899d0f537c9ea5922cd87

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
100KB

MD5
c64ab2e2cf454e8dfa87f2d476f8a85c

SHA1
62f88af802f3f70f166998a01a4ef35ca9044cfe

SHA256
c69d38f6961857fefc47fecfdcfa55390965e8a3ebd31aaf7cd0c71ef28fdef8

SHA512
b003da4d9da9dd3973910a520d0734ba8c0daf06a71a0297b9954229b20c4a405a78ddfcdd665300a4d298cf8c749430d29b605dbb2e06f9b9410453a3eacedd

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
100KB

MD5
b6f221abdbfa00c371be701a98e7f676

SHA1
b27d268d28e02154f30b357596219bc34a931226

SHA256
af1483507e15842c5dd1c5c7d5dc2f00707368119700c6387193ac1e2a2d1d73

SHA512
5fe9840281e08d3ec16f614b54f1123ae2fecb78b78cbf47ddff0b06daa6e57e14557ae0ffc2e1a88687a1bcb2619786ed63d5068710c21bd31d632d268e1025

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
100KB

MD5
8ca071c86996c98335eb927a32c99bb9

SHA1
c4e0789f580f88ec15ab86903c321577571edeaf

SHA256
b69726fdcab73949ac3dc1d341cbe77d3cd6a979d62ffb231ab2b959db72c276

SHA512
809ebecb65cf0e57964cef7479c93e80edd3aa5d020b509e0a40e06ee3df35412c51b185a6b5e2ee4c6f5b68370f4a5496bdb6bb5271fb277d20527c4a0fe849

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
100KB

MD5
691400e4e40dfe23651219b61b203285

SHA1
a0172ad3b8952b03b1224f3529bed7a98cd3f926

SHA256
ffcbcd8b45568539960d4e8771d77176cc386a0ce7b5b77872a8022d4f6a56dc

SHA512
b4f34ce2571ec983e028b55cc0d6ce70f160a3f1968d1004eb5c5c197d1e2b3c1799c5dd8357d4e64fd30ee722fe6e49b1a8e082b6f89185bbccbd5873aa8882

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
100KB

MD5
cad9fca428fcedc43e2eba5247e8ef56

SHA1
09dd9b50ea4e6db4c55aec2be62602b8c710f9e7

SHA256
763cc3e05919d0d282cf952bf50317cfbd654ab984dbf4d736be8174ad715949

SHA512
420c11c9ab1f5a19ab8902a3258076a4a9bf1124e87190d1471bfacf6b35c2a5eda3c371a785e73d5d8b84ff5a8e031f9b97f301bf86fe97938701db5f8b1a45

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
100KB

MD5
3998601f4c457db9098cb69897cf048a

SHA1
c28a67b90802d167e15e9e45174aec7d10fcf237

SHA256
5638ec93079239634303076d80380f015b4f0d3a4f793932f08828ddc5ec7084

SHA512
275da6624435e761f97324ad8ee4dfd24fe25d4e77b6b08251e5a5bb430162cf446ba345854261be8c8630f1543fe505d38241c03fa502d4e5b4605471af2478

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
100KB

MD5
cc24279b4181015021a00f2f9d05a29d

SHA1
480aa228caa2c62bd410153ca3f33aada25013a9

SHA256
5e724bb0c80d2d56508fb2090cdb201b09971b259b79a867b51fc1407e4fc548

SHA512
efa3beb20705261d3effa32a9cc81de6dde30eac4c96cc33538b77a86ab09d97fdec69dc6a4d21e35a2383f639317418c6ae83c1aa8c6f328c0e9ebaa037e92c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
100KB

MD5
a516edf75fe5d911490181cdd6967189

SHA1
ded847840b9165033afa48959fca16bdeb2dd04d

SHA256
29c739d99527fdb24f10dd567869ce955d339e2ae369005b30d0d7a0ed5cb0ae

SHA512
18ee92e206e4c4053c06105c221a828aa5eeec97a1d5f6154d91916f920d9fbfe05c7f0de2574dc9a4e7f138bfbd2b66e66272fc084e45190a201e674ccec3b6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
100KB

MD5
c636ff9ab89e7f8ebf6739f854ffd27c

SHA1
e0bf4ffeaf75ebc2258575b557c89cddfe1cfc22

SHA256
2317a2632b8bf0f7782278caba7042a7c6bd572c74ff3790617cb9dabb00f296

SHA512
1ac12601a72bb1cae6107be126daac36fab123cc70c87daf2babd1ca17ff747a7383e07a52781ab5fde1d676c818850b0179991ebb990cadfb801651878470ab

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
100KB

MD5
6f579ca7d1e8f5861815be6ad0555ddd

SHA1
2b8e2247c4468f044aeb68c357d3e6fcb7573b41

SHA256
5f0248f164c60d02a6eab1ccc72455685852bc1358f4af40e4088dc2c82cd7e8

SHA512
b47d64476c5948c5bacdbc6a91f8fd7514ae49234be2164ca20da15b903894308620c354fd8ba9bf51b5c14835988a55781ce5c550f703d70eaebdc460196bb2

Download Submit
C:\Windows\SysWOW64\Iqjikg32.dll

Filesize
7KB

MD5
dd6746219b7c0bf13a1cf9969826b140

SHA1
4c1b57476426eebe3b8a683ef995cc6c0884f79b

SHA256
78e21ffc8a879bf31cf678ffbc69f624a4160338c0f60bb92ca2240f98cd2bbf

SHA512
77ab28c9530d6e9f87ac625753bce2a65446b3c79f3b26e4f4d533433f054e350daff6b8221df410c2db6e0c6be99d5796a16ba877e2d26966fb18f318d19e09

Download Submit
memory/440-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1272-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1272-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3476-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3476-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads