2ced10c4316be076650ce75b24841b8b15eabac8072d0f09ea62fe270bf193f6

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 05:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6b1829294486ac639deb102939ea190N.exe
Size

128KB
MD5

f6b1829294486ac639deb102939ea190
SHA1

121d8820cbd56482eb002a6b73fbf90fca23626e
SHA256

2ced10c4316be076650ce75b24841b8b15eabac8072d0f09ea62fe270bf193f6
SHA512

01407f81f5723056b9d4f0645b852a27947c78e98761e743755f4288e584f18ee4f6e8cfe4342a2266e172502656ac61deea1c6afa29f5ce9b261ebb38e5f02f
SSDEEP

1536:iIMWUCJFo3ee77377L40cO80arFAnFgoRQDHRfRa9HprmRfRJCLIXG:dUcFs37U0cOiFmgoeDH5wkpHxG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f6b1829294486ac639deb102939ea190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f6b1829294486ac639deb102939ea190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Executes dropped EXE 35 IoCs

pid	Process
1960	Bapiabak.exe
3176	Chjaol32.exe
2120	Cjinkg32.exe
2932	Cabfga32.exe
512	Cdabcm32.exe
2152	Cfpnph32.exe
1940	Cjkjpgfi.exe
4748	Cmiflbel.exe
4612	Cdcoim32.exe
1800	Cjmgfgdf.exe
2816	Cmlcbbcj.exe
4732	Cdfkolkf.exe
5024	Chagok32.exe
2808	Cmnpgb32.exe
3084	Ceehho32.exe
232	Cjbpaf32.exe
4524	Calhnpgn.exe
3448	Dhfajjoj.exe
2560	Djdmffnn.exe
3644	Dopigd32.exe
4124	Dejacond.exe
3104	Dhhnpjmh.exe
2840	Djgjlelk.exe
2412	Dobfld32.exe
400	Delnin32.exe
1056	Dfnjafap.exe
4640	Dodbbdbb.exe
4304	Daconoae.exe
536	Dhmgki32.exe
1388	Dkkcge32.exe
2092	Daekdooc.exe
4280	Dddhpjof.exe
4016	Dgbdlf32.exe
2852	Dknpmdfc.exe
1412	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	f6b1829294486ac639deb102939ea190N.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	f6b1829294486ac639deb102939ea190N.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	1412	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6b1829294486ac639deb102939ea190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	f6b1829294486ac639deb102939ea190N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f6b1829294486ac639deb102939ea190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f6b1829294486ac639deb102939ea190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1960	1432	f6b1829294486ac639deb102939ea190N.exe	83
PID 1432 wrote to memory of 1960	1432	f6b1829294486ac639deb102939ea190N.exe	83
PID 1432 wrote to memory of 1960	1432	f6b1829294486ac639deb102939ea190N.exe	83
PID 1960 wrote to memory of 3176	1960	Bapiabak.exe	84
PID 1960 wrote to memory of 3176	1960	Bapiabak.exe	84
PID 1960 wrote to memory of 3176	1960	Bapiabak.exe	84
PID 3176 wrote to memory of 2120	3176	Chjaol32.exe	85
PID 3176 wrote to memory of 2120	3176	Chjaol32.exe	85
PID 3176 wrote to memory of 2120	3176	Chjaol32.exe	85
PID 2120 wrote to memory of 2932	2120	Cjinkg32.exe	86
PID 2120 wrote to memory of 2932	2120	Cjinkg32.exe	86
PID 2120 wrote to memory of 2932	2120	Cjinkg32.exe	86
PID 2932 wrote to memory of 512	2932	Cabfga32.exe	87
PID 2932 wrote to memory of 512	2932	Cabfga32.exe	87
PID 2932 wrote to memory of 512	2932	Cabfga32.exe	87
PID 512 wrote to memory of 2152	512	Cdabcm32.exe	88
PID 512 wrote to memory of 2152	512	Cdabcm32.exe	88
PID 512 wrote to memory of 2152	512	Cdabcm32.exe	88
PID 2152 wrote to memory of 1940	2152	Cfpnph32.exe	89
PID 2152 wrote to memory of 1940	2152	Cfpnph32.exe	89
PID 2152 wrote to memory of 1940	2152	Cfpnph32.exe	89
PID 1940 wrote to memory of 4748	1940	Cjkjpgfi.exe	91
PID 1940 wrote to memory of 4748	1940	Cjkjpgfi.exe	91
PID 1940 wrote to memory of 4748	1940	Cjkjpgfi.exe	91
PID 4748 wrote to memory of 4612	4748	Cmiflbel.exe	92
PID 4748 wrote to memory of 4612	4748	Cmiflbel.exe	92
PID 4748 wrote to memory of 4612	4748	Cmiflbel.exe	92
PID 4612 wrote to memory of 1800	4612	Cdcoim32.exe	93
PID 4612 wrote to memory of 1800	4612	Cdcoim32.exe	93
PID 4612 wrote to memory of 1800	4612	Cdcoim32.exe	93
PID 1800 wrote to memory of 2816	1800	Cjmgfgdf.exe	94
PID 1800 wrote to memory of 2816	1800	Cjmgfgdf.exe	94
PID 1800 wrote to memory of 2816	1800	Cjmgfgdf.exe	94
PID 2816 wrote to memory of 4732	2816	Cmlcbbcj.exe	95
PID 2816 wrote to memory of 4732	2816	Cmlcbbcj.exe	95
PID 2816 wrote to memory of 4732	2816	Cmlcbbcj.exe	95
PID 4732 wrote to memory of 5024	4732	Cdfkolkf.exe	97
PID 4732 wrote to memory of 5024	4732	Cdfkolkf.exe	97
PID 4732 wrote to memory of 5024	4732	Cdfkolkf.exe	97
PID 5024 wrote to memory of 2808	5024	Chagok32.exe	98
PID 5024 wrote to memory of 2808	5024	Chagok32.exe	98
PID 5024 wrote to memory of 2808	5024	Chagok32.exe	98
PID 2808 wrote to memory of 3084	2808	Cmnpgb32.exe	99
PID 2808 wrote to memory of 3084	2808	Cmnpgb32.exe	99
PID 2808 wrote to memory of 3084	2808	Cmnpgb32.exe	99
PID 3084 wrote to memory of 232	3084	Ceehho32.exe	100
PID 3084 wrote to memory of 232	3084	Ceehho32.exe	100
PID 3084 wrote to memory of 232	3084	Ceehho32.exe	100
PID 232 wrote to memory of 4524	232	Cjbpaf32.exe	102
PID 232 wrote to memory of 4524	232	Cjbpaf32.exe	102
PID 232 wrote to memory of 4524	232	Cjbpaf32.exe	102
PID 4524 wrote to memory of 3448	4524	Calhnpgn.exe	103
PID 4524 wrote to memory of 3448	4524	Calhnpgn.exe	103
PID 4524 wrote to memory of 3448	4524	Calhnpgn.exe	103
PID 3448 wrote to memory of 2560	3448	Dhfajjoj.exe	104
PID 3448 wrote to memory of 2560	3448	Dhfajjoj.exe	104
PID 3448 wrote to memory of 2560	3448	Dhfajjoj.exe	104
PID 2560 wrote to memory of 3644	2560	Djdmffnn.exe	105
PID 2560 wrote to memory of 3644	2560	Djdmffnn.exe	105
PID 2560 wrote to memory of 3644	2560	Djdmffnn.exe	105
PID 3644 wrote to memory of 4124	3644	Dopigd32.exe	106
PID 3644 wrote to memory of 4124	3644	Dopigd32.exe	106
PID 3644 wrote to memory of 4124	3644	Dopigd32.exe	106
PID 4124 wrote to memory of 3104	4124	Dejacond.exe	107

C:\Users\Admin\AppData\Local\Temp\f6b1829294486ac639deb102939ea190N.exe
"C:\Users\Admin\AppData\Local\Temp\f6b1829294486ac639deb102939ea190N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\Bapiabak.exe
  C:\Windows\system32\Bapiabak.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Chjaol32.exe
    C:\Windows\system32\Chjaol32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\Cjinkg32.exe
      C:\Windows\system32\Cjinkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 408
        37⤵
        Program crash
        
        PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1412 -ip 1412
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
128KB

MD5
b9fd117198fe4e94c4bf46cce9a603ab

SHA1
48d032d5395ec6a463260bb3198cdbacf995711f

SHA256
54cc2fce4a15158f30c5974e4de22bca0954bdac6fa853ab512f864445e63d57

SHA512
c62286c5dd8973042ad996dcd8571fa8d0e1282ae37b17399a1ee4a65f757b9a39e2a106db15c48b4433321504a94dbda47f53954959af48d526a4a796b5cb15

Download Submit
C:\Windows\SysWOW64\Bhicommo.dll

Filesize
7KB

MD5
0da9bf185c6086fe68e6c267e7351075

SHA1
d2952ba1ddfd2759cc2fadf7bfcf891c37b09c06

SHA256
8bd208df9f07ed366b6f7f066ee2bb0f21ad788ca1d5f5dffc41baf112bf9e3e

SHA512
33eb2eadb572e05fc84db3062363c13d38226ecc92ad01e03489f8f98645406dea9080535ef04eeb098bf63f9d1fbdc647362bed660c7b0f674186d4f9e857fa

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
128KB

MD5
b43ec80602bbb75a2cd4399bec6d583a

SHA1
8bb0e6101265487c8e12fb56cd0a4227160c9dbc

SHA256
334ceddb3564c553ece3dbacce55375afd2db40e87939d559b3e27970a7e83ef

SHA512
09d94eca49113e8e4b635ac53928915d4142e73a31a291651fec7d84879d2447ef8d914f278ec95dfe4d6d9ebfd6e3d6135826331650ffb912a8de65ae29f06e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
128KB

MD5
040dae403bece30aa4f7d88bfede60b9

SHA1
55065a57ce0159f0ee882b7bb4e4274771564acf

SHA256
c708278437334d945bf7e456cc484451ff013d2826e0dd7045d1fea0d4f81b9d

SHA512
514e9bbd396954ed385440118ea655a74a3f70fc7118889ebc04ae20edfe3ba0d58ce632f47a30eb1103741316c0b5a92fb1321cb03ecab8d0d4c56b524df014

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
128KB

MD5
1365e01a4f900123ec093d4fcce7a072

SHA1
ecf5bbeb4cca424e5e783a4473957f3f84e167c9

SHA256
4c735b5582b9454592a13a78fa0f09ac5590286e91627b2e3fda4993a3557ce1

SHA512
079de360a9fa93c4cb6458fbad0afa8fb3159699a2d4a90e6bd4ee96154eb37305f4a55544ff1b00c72d719f5f50d460d4a6bcc212e500f89de4b14a7a919359

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
128KB

MD5
0ebf9e84661018dcbf96070ac5be037e

SHA1
72e3a3474292e96a69a64d119f259c760e39ed99

SHA256
bab48818645582716597a12732f05e4ecdb0ccab0a1b15f54568f14871699e29

SHA512
c432c7d31da7ab2fe1252af142cc8b64fa15149dbe755be28a5902e00a340f8550c879f90f7b525658b30ca48b425918126ba2e9cabbcd7a2cffa2b94eee06e2

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
128KB

MD5
b41ac5fe7a420b677bfcd91f1e7fef43

SHA1
6f86269f8284ed22589ff76c9351c6467db5c9ad

SHA256
909a7438d24cb46b85d6a643fad308dc24ae73c9e07c704f9b73f95d96b6df60

SHA512
74a7e26c58bc49d2f35244d016574b3a593a83d1ab120ab9a676e291dbf90c32442a5fdc0b36d7101cc8b247812b5c4fea30ce4fcd092f0300e8826af9ec2731

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
128KB

MD5
4859ad5953e4d1c0719a2c96adf27573

SHA1
367ac3f2d43bb07f4bb4b55cf07e3b8e36d7f12a

SHA256
9c33394f5372e3d55b91c5087767947078ed7538ea33325bd9f5315c07570bcf

SHA512
4364ae56c11c6f3cecfc81bda0cb5dd437099a6f9a4489f970c81c7bb688d9b0333e8ed1411538b862b4f0018ce94ff69834f9a216f2ce8ddd8defd251e3efa7

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
128KB

MD5
59298b52eaaee8b586d600e36f8ed91d

SHA1
990d010a58bc484c4505c7a8fdb5ffa2e207714a

SHA256
094d0f19b614ecf5d4b4c57e5c9b204807be6a0652ee1b5f4e16ba0f1695af5f

SHA512
7246eeab4099df217635f082228eb1fe227cb0d0d0d574483ba6f825a99d342a5a9dc24eff1f1d3395fa5c4dfcfadc45e7a3d561828124fc9465b1ecb8932a1c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
128KB

MD5
2f8a4b76d40b75ea7a402f8aeee89410

SHA1
e5659308cc08482a7b4c2a12513735fcbee4f252

SHA256
92f7c5f5b72e43d26fd71ffb120bdde560fb5a95b35e7fb0b82dc696a315d8ed

SHA512
6a11e98b21f895ba26aa617f97d12abe7a580f50f24017b75b06ec29e891117239ba4b64604337676df5e80522502d9e7d4208c3e1f7355dbe7c9c8769044f91

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
128KB

MD5
eab6303233d1f4f9db6d73aa71505289

SHA1
93bd491ef76d31f3c3a6f5624c1e402b7cd7a8ae

SHA256
61a550083b1560bc34016e2d9c666ce05f28af8fef3b96fb7e319c82788abf54

SHA512
fffd1f6378ebcbd1dcaa2266c6cbb57872a4d2b778ecf8f5bbe7ab0bed59278be6ea325ecefec9f0b9ae5a8b784783073ae2def5f56d13efe986d93eeeca84ba

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
128KB

MD5
355aba409e0f55a348f4b0df3041071d

SHA1
00667f1cf07ad6370ada083e726258b730c3a7f8

SHA256
0de61209452ab858be57eb40ca0ff193cc238f46c916df2f94f6c025d30a8a59

SHA512
b2b9bd298a28629216b3ed280b3050e5cf24f65b2e808d1a5430dc6932cc8184315bce69a35244a8994d47b0d4dad0dd11f68d3a67ccf0beaa9cde6e1970c53d

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
128KB

MD5
3ca28119cac2ef19517ec2034cc1cf82

SHA1
528786dc8470478d7b824ea0ffd95f492baa2150

SHA256
28771dcc52c8da6d1f6e66b8600e70a7042854736cfe79adafbc30c80828e67a

SHA512
d9a187b00ae168a0eb33b87da818ea49b1745f9572b3b07113a1b053b05a3d365a0d4ac2787d6d3ba56908b57af1c98ddc1174c2ceafcdb2bccf8fbf3bc82a58

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
128KB

MD5
14b1fb41931e9ab86449174f8e1317a9

SHA1
653eec34f7b078a7d948f569850aeaa6fd95986e

SHA256
a369f9afeb22f2de66e8e300205a3e352a2932f262ff32810adaabb65eb43846

SHA512
a800518d575558c14fcc9fb4926909b51f63b545e6934c28dd1f1ec268f12dae3ff2ad0389667d4b3fb06c527e84ef1163078214a246b11b1366c3b4127b5ad6

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
128KB

MD5
ecdb41a3c3586fa1e803b20174be836a

SHA1
f91433d687551e458d9b5b0b44b7cdbef9c373f4

SHA256
54838534418338dfaf5f6332f7bff44ed13ce689317ac55d26e583bbc12a7829

SHA512
f1e54950d11ad797aab3cf7987a8ecd0fdc7e4a86142ca62f2eb511cb2fde2c1a1bd4f4a91dcfced3f6cd59447c505d6458ebe9b9a6c647bac36ca21564f0577

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
128KB

MD5
7245681902067e0b1e6255d51421d5f7

SHA1
49d4fbee6d0159805e2270b7f5f1159801ddad12

SHA256
dad79a32b3e074691dfb4a650cad5937a2e73492937a59f7845c2222a889892d

SHA512
e734d779f4341f7164fb2d90a50356f9dd0e7207be8249b02ab7cf1b0619804f37c9151218d09b21f043f42c0c8513891f7967696bbfd07027b3b2f251a5a420

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
128KB

MD5
f878b5d6730758c2435e0aff7907865e

SHA1
ef37ce31e8ea732b727c62df7437cd8f4fc82c91

SHA256
84b4f4cdffe647fabcffc10b37fed6eeab7b4877c995ba3f748b63560b35d81d

SHA512
8ed44b18099e11bd1e5ae960571a57d15037fb0227ccc2ef963d4f50b19656848dc41f8261706ec8d3fc9887fd76fbb5f67f4052bc6097b6dd02ab307a01255e

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
128KB

MD5
b357fb3ed8116c359fbaaae5d412c9f4

SHA1
7160d4fa2acb79c80e8e96fc353980372a8089cc

SHA256
6cab1a382c7865c4a92257d7d9d0568cacf31a145da93f08f912bd824c9b3465

SHA512
8ed496aa267c9fdaa12b95f7c8dff0eb896b8b375dc46b7e02854343cb47880145c8afd5f010a0964a5c125d1522795b54aa137b970410a34de64bc6c59a9638

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
128KB

MD5
652c6b258d027e1c1d4a195c67c9227f

SHA1
e80728b6c91e2522fc02c97556080217871d54dd

SHA256
0755f138a4d1df51d7ba9bf310e2ed8847be3f52dc1c37f933cb34cbda79cc07

SHA512
19b2f44328b44557bb4d2396d35054cf655ca1cbaee0aa4625d3832134399cafa96da440c6c1f47c58721be82a495cdc7319d0f48fa16fe45aeeb54a9e80481f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
128KB

MD5
3d21ec6348ffaded05008545addbfe49

SHA1
7d459b4ddc3ae3a917f86f5eb3fbc295af393f32

SHA256
e3ef79aa46d6e60f9e5bb8128e19da2c70755f8d78fad540db82d112a04f6e7f

SHA512
895700ff770c30037914fea79df8fa6aff0cb3c93da1b184845d181576c3946982e44bcbb0cb7449cf16be38c0c4b457bc74761f76985aef066d2753eb403657

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
128KB

MD5
7ae5a4b9848eca5e17a68b35b3206527

SHA1
5d102a21143b3c8a25f27e185c4c8cf71f9b0202

SHA256
11c29ee148e2e8168371b711d5f674c02d197ea9adc36b3b1e7d4393d7e8c36e

SHA512
7003ce0c906809b669d427496b3ef222782fe0d809ca4262e8042a1c127f6e91342ee5610bf06a9df914642de5a145bf3c3c9f7428b5a242da1d93bf263f3ff2

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
128KB

MD5
d4fe66bc4bf1e6e6522a2e65bd02fd04

SHA1
0a19cb35a9291b5e4e5ff39499a4420b29404085

SHA256
2c5587f1ef23b7f3572c2077c047e195dcbdbbd5bda342f407a3ca383d720157

SHA512
3b6e12c44a2bff14733f154dd191776ca6ae0c447aa3d8b45a43b565b514406353d2791d49da8575e20e11dcdc128155186cd5bf4f9410db9371b354d4d17091

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
2b869bee2ce6b94eb1502fecd15255e0

SHA1
9efc1e9b2e44cbf0532685d81cc1a6a1fad72172

SHA256
96acb383015639dec0911924929d9894d609f5694057e85a5f0f430c3c0ceae0

SHA512
9a756d8a10120ce14a4a1bc2966bc78daa1e61180450891729324d10cdf6b8fcb7d345201df89c81a6e4fea9a2ecc593fcff9d9a1f63098b6cbe877be87f9788

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
5be6b61236cc3b3abe33b10882c802a6

SHA1
40b7c5f17b7dbae07a9bace889490ddf3a95a44b

SHA256
29a7b9a704513a9183e87ac0da903db35ce3d230b768c2a0f1992f0f1c75b42e

SHA512
2afeac739d80a097968a25620c0c9d66bf5df42305ce521cfa1031558e425bdaea16cdbfdfddf4af460d49ff194b498f68915d1e84a6c23301fe36ae3f3c8276

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
128KB

MD5
3d01b9720d0f4108ed4e4e49cca00ed4

SHA1
0eae23af65f13c1542a8e26ba0bb5b1b4e8cd244

SHA256
2408c4d612b7b8f1df1b14b42d500729f971977f60dccda555b5ccde7cceca59

SHA512
c11843e563da19d4c61ad2eb0689ddffe6227be017b812b00856a6bbc341e2fcfa57738b107c2fac7288a05a807e82a2945706b36d1a80b41d09ab3a8eb71006

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
128KB

MD5
3898f9f41bfaa3192feec6e1a8114cfc

SHA1
b40086583a057c08361960b8a88140155513ab05

SHA256
20c641c2fbe2a63e5bb80c364065da53a352581b449a05acb57618069f6dc020

SHA512
220f949086f16dbe764bfbdaea3f594e031cd8bcfd2879a307ebad3f9322c7909fee1674ec55aff02d3d815c21d2213d33e4c7d08c30a55165460aee1b6925a6

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
128KB

MD5
9386941d4d6c9a3f9b31961a15697f26

SHA1
ca1dc1951603995c0cdfa17bdc6f37e940bf2c0c

SHA256
f178184bfc3fb2f190d40c4e6f868f3ae816f1290077e1b76161cb042f21c93a

SHA512
287b8aec4e50de99ae5e1be8673a94c075f28d6b2104f5ec66e07781331cd4037db7254b5adcc6a6d942991f13581d0ab28eb2a7e0efb3407a6f2e46ae21b051

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
128KB

MD5
90de5927e03534c11041c551c62bdaea

SHA1
deef48c36e7e49ea5432d7dbcca7383fbb8224c1

SHA256
ebc10f624ee7c08db9015d9450a48603f38b14fe4741bae8ce9a80406e446834

SHA512
0da179930d2cba0800a8a07724aaa02c12a50b6b306d4a5edf236dd0635085d82ca38af0111657070c1187653c7f6bcc8f3e23e2ca91cad2a61cd8e487778e45

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
128KB

MD5
cb04ee75602220fd8eb273d9e61543d9

SHA1
594bd91b5d24361e717d93d2ac4257eb597c8c44

SHA256
5465ed6c83d3988e2d28e63e13cc81cfaf77c67c3a3613edf57d07f305651ee3

SHA512
5f0c56c99e1de9014a0e22315fd37433c845586cb2d4ce3ee174e2707d980f565adbfccf6669984af833f4bf7c02962756cda41a515dfc4bd2c321a751144698

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
128KB

MD5
71fa957c83f49cff2b6f01be9a587cc6

SHA1
4f0fda703329d1c59d68d6825f097de67f2e2e71

SHA256
a0b7318b33dcf05c9a92bf24af728e3c3e7f8a5042c267a9fb6ab06ad321c6d8

SHA512
f2699d60881c3dc94df1b24e661e8bbb284c9faf89d684cc93ae0289a6ee84d0bc5805bddf7375351c978129a6e4fc384fab3832d63b379d6a53024b4fa69b09

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
128KB

MD5
2d93e1cf713285cc29058cb85dd453e8

SHA1
32c1771a76617a5dba0c21729560705be153adc9

SHA256
a5620d2abb76b458dc91a69879e16d1a9ceab290a7ba72d41bdb2e0e82b43539

SHA512
f357a0ecec9fb54c2c1a2daaba5b9a99fc42dc322a96914c6a03e1738e75b15c8eb9cdf24e815f85f45628c72916a5944610d414b41f08459d22b62f6ca4e37d

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
128KB

MD5
9f2767b6a8cdb3c8c54920aa3b745013

SHA1
adef4e59c8cfc868e4e02faf2caa474f9f9722e9

SHA256
4675c0e642546d2b29e5cac70dd297718bfb8b93a15668e6edfc7465bec419dc

SHA512
72369c40d072152481ec0edc8863b25614524a37404fb1dd97caf64b249e5917faaaa01c5d88608b139ec5ba139d9e3786f2f7fc50e80b66e171bc042f3dcfbd

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
128KB

MD5
e9bf8034d90b17c6a9116c86991165ae

SHA1
0167e8d9dd58e8b8ef135bce175e5ac142c6a390

SHA256
daeb3a90e2d70dbc00bff171e776f969d0003280f8b7869c85cb482be2db4540

SHA512
eefae226ccc560ca3b45c56d62cc137fa59804a45be276e830e4b25d9932e76f736bb574b6186fbcd51725584f430a537b3b755cd60cde373191e5a809b34291

Download Submit
memory/232-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1056-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1056-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1800-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1800-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads