ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Size

56KB
MD5

d0a37777301b0629e67b8842d2f38e80
SHA1

e4200a2af362c7ab10d9a599a4abe520a1216f69
SHA256

ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64
SHA512

ba499b0796001720cc8f440cdef6fe6f347c7ca8bf8361e5fc590ee4f8b8774cebabd4cb68a8713550c414da23a82df4053f73454dd9a65b680361d1307aa34f
SSDEEP

1536:lQJrDmXBQkRKl7hVMbhVKagaXqQinC+E:y5DmXBNRKl/MbPFXqm+E

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe

Executes dropped EXE 28 IoCs

pid	Process
4524	Bcoenmao.exe
4136	Cfmajipb.exe
4564	Cndikf32.exe
2376	Cabfga32.exe
728	Cdabcm32.exe
2364	Cjkjpgfi.exe
3756	Caebma32.exe
4472	Cdcoim32.exe
4448	Cjmgfgdf.exe
4248	Cagobalc.exe
2944	Cdfkolkf.exe
760	Cfdhkhjj.exe
4712	Cmnpgb32.exe
5040	Ceehho32.exe
4260	Cmqmma32.exe
4836	Dmcibama.exe
3348	Dhhnpjmh.exe
2464	Dobfld32.exe
1856	Ddonekbl.exe
3248	Dfnjafap.exe
1240	Dmgbnq32.exe
428	Daconoae.exe
864	Dhmgki32.exe
3996	Dogogcpo.exe
1136	Dmjocp32.exe
2152	Deagdn32.exe
3932	Dgbdlf32.exe
4896	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3928	4896	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4524	4528	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe	82
PID 4528 wrote to memory of 4524	4528	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe	82
PID 4528 wrote to memory of 4524	4528	ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe	82
PID 4524 wrote to memory of 4136	4524	Bcoenmao.exe	83
PID 4524 wrote to memory of 4136	4524	Bcoenmao.exe	83
PID 4524 wrote to memory of 4136	4524	Bcoenmao.exe	83
PID 4136 wrote to memory of 4564	4136	Cfmajipb.exe	84
PID 4136 wrote to memory of 4564	4136	Cfmajipb.exe	84
PID 4136 wrote to memory of 4564	4136	Cfmajipb.exe	84
PID 4564 wrote to memory of 2376	4564	Cndikf32.exe	85
PID 4564 wrote to memory of 2376	4564	Cndikf32.exe	85
PID 4564 wrote to memory of 2376	4564	Cndikf32.exe	85
PID 2376 wrote to memory of 728	2376	Cabfga32.exe	86
PID 2376 wrote to memory of 728	2376	Cabfga32.exe	86
PID 2376 wrote to memory of 728	2376	Cabfga32.exe	86
PID 728 wrote to memory of 2364	728	Cdabcm32.exe	87
PID 728 wrote to memory of 2364	728	Cdabcm32.exe	87
PID 728 wrote to memory of 2364	728	Cdabcm32.exe	87
PID 2364 wrote to memory of 3756	2364	Cjkjpgfi.exe	88
PID 2364 wrote to memory of 3756	2364	Cjkjpgfi.exe	88
PID 2364 wrote to memory of 3756	2364	Cjkjpgfi.exe	88
PID 3756 wrote to memory of 4472	3756	Caebma32.exe	89
PID 3756 wrote to memory of 4472	3756	Caebma32.exe	89
PID 3756 wrote to memory of 4472	3756	Caebma32.exe	89
PID 4472 wrote to memory of 4448	4472	Cdcoim32.exe	90
PID 4472 wrote to memory of 4448	4472	Cdcoim32.exe	90
PID 4472 wrote to memory of 4448	4472	Cdcoim32.exe	90
PID 4448 wrote to memory of 4248	4448	Cjmgfgdf.exe	91
PID 4448 wrote to memory of 4248	4448	Cjmgfgdf.exe	91
PID 4448 wrote to memory of 4248	4448	Cjmgfgdf.exe	91
PID 4248 wrote to memory of 2944	4248	Cagobalc.exe	92
PID 4248 wrote to memory of 2944	4248	Cagobalc.exe	92
PID 4248 wrote to memory of 2944	4248	Cagobalc.exe	92
PID 2944 wrote to memory of 760	2944	Cdfkolkf.exe	93
PID 2944 wrote to memory of 760	2944	Cdfkolkf.exe	93
PID 2944 wrote to memory of 760	2944	Cdfkolkf.exe	93
PID 760 wrote to memory of 4712	760	Cfdhkhjj.exe	94
PID 760 wrote to memory of 4712	760	Cfdhkhjj.exe	94
PID 760 wrote to memory of 4712	760	Cfdhkhjj.exe	94
PID 4712 wrote to memory of 5040	4712	Cmnpgb32.exe	95
PID 4712 wrote to memory of 5040	4712	Cmnpgb32.exe	95
PID 4712 wrote to memory of 5040	4712	Cmnpgb32.exe	95
PID 5040 wrote to memory of 4260	5040	Ceehho32.exe	96
PID 5040 wrote to memory of 4260	5040	Ceehho32.exe	96
PID 5040 wrote to memory of 4260	5040	Ceehho32.exe	96
PID 4260 wrote to memory of 4836	4260	Cmqmma32.exe	97
PID 4260 wrote to memory of 4836	4260	Cmqmma32.exe	97
PID 4260 wrote to memory of 4836	4260	Cmqmma32.exe	97
PID 4836 wrote to memory of 3348	4836	Dmcibama.exe	98
PID 4836 wrote to memory of 3348	4836	Dmcibama.exe	98
PID 4836 wrote to memory of 3348	4836	Dmcibama.exe	98
PID 3348 wrote to memory of 2464	3348	Dhhnpjmh.exe	99
PID 3348 wrote to memory of 2464	3348	Dhhnpjmh.exe	99
PID 3348 wrote to memory of 2464	3348	Dhhnpjmh.exe	99
PID 2464 wrote to memory of 1856	2464	Dobfld32.exe	100
PID 2464 wrote to memory of 1856	2464	Dobfld32.exe	100
PID 2464 wrote to memory of 1856	2464	Dobfld32.exe	100
PID 1856 wrote to memory of 3248	1856	Ddonekbl.exe	101
PID 1856 wrote to memory of 3248	1856	Ddonekbl.exe	101
PID 1856 wrote to memory of 3248	1856	Ddonekbl.exe	101
PID 3248 wrote to memory of 1240	3248	Dfnjafap.exe	102
PID 3248 wrote to memory of 1240	3248	Dfnjafap.exe	102
PID 3248 wrote to memory of 1240	3248	Dfnjafap.exe	102
PID 1240 wrote to memory of 428	1240	Dmgbnq32.exe	103

C:\Users\Admin\AppData\Local\Temp\ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe
"C:\Users\Admin\AppData\Local\Temp\ce65467aabd3e6094047f0a5f48082ca6cbf9b72559134411c6986abfb00ac64N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\Cndikf32.exe
      C:\Windows\system32\Cndikf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 400
        30⤵
        Program crash
        
        PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 4896
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
56KB

MD5
c2411fd380137f908a1b77f5536f8f4a

SHA1
1dcfc0eabc6b9fe2f378257fcfde9d2b095fb74e

SHA256
2e6ae0b8084096bd0d172fb187662a2c5adb1bbc8866fb0e64b698040be07a7e

SHA512
cd1a70e94913ed16786f2618157520c5abb12b46a1d092ed88721b2699b71ff36f8b754b8f269098ddc9c276eca5cccc90df1cac04fdea5e427fc813545ee53d

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
56KB

MD5
47a15f53e3ff55a47d8016badca1fbbe

SHA1
3ba6da8ac2f2e8ebd9c9b83a228f2397636bdbd4

SHA256
df3b146cddbb1129df3ddce7416a0c79c500db435accfe9a6c08ba5f5fa3427e

SHA512
f6505f9f0f4c707932b5f8618e6706963ebfbf2fb1aa38ae5c173c05a794df22a5ddd5df726d6bbc0d610655cff3a9151d0966e977ff8723be968170f876922c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
56KB

MD5
ad77cbcd3dfa52f3aff1237f61b74665

SHA1
cf7582d710bd1045e83af2f2ad97bd03d34a1dab

SHA256
fc333ea451dfb19f8f9c18cf333ccb9cdf310afb201d84368b1f8444fe07794e

SHA512
0817db026be76f6ebc0f15cd8a21e7b0487e2de01d4b1faa405bf854c61339017fe98e980082f5670e60d806759f49771841d3181f195d8fbcdf86562df23362

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
56KB

MD5
895bf34e08e1fb4a89c39c85fcc7e108

SHA1
915ee5e5f342461fc69a08a5f887ab8027810315

SHA256
a74023382e2e016e8a4675347ea587a3d4616913eb0049007b24039112d0b996

SHA512
5b13595fa735f526f694e225879340a0bf88a753c26a0676f6b0b703d2a76941fcd73ab8177360e83d8709399ed2d9f8d9602dce9b3eaab47b2609b7f205e11a

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
56KB

MD5
4cea3f1d63aa408bc6ba84d9bb8986bf

SHA1
0d11c4afce215db8f9aa6b6d778fdf425f8c0b28

SHA256
a2d1a00913175327a515b80c0bddef798a381dbad944fd732e26398871d8c14a

SHA512
59f522c61216c36ba5527250e898ee5b5c790271bec938458776f618411eaa63323853ce8f02d7ffe29c967cf996dbeb0fd1ff0a85e8d705e3afac52b2b9befc

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
56KB

MD5
d1e8248259ee3ef6bb7fdd59100fa9f8

SHA1
23df3d793d440a32917b25399468b7d61a72819d

SHA256
4c6e8676f1d455027d0b82ea207975cd166b7abd8e0f44e97ee46f0de22bdc53

SHA512
830d41fdea4a179292807c2a00ef5519e7811fba7bb35f132bf51f02ba4a1ee342fcc2679c63e8eee8f1896a1656242e661503eaed4fcc1a84c20ab3a17cf62b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
56KB

MD5
e202da386d050af1597894da6ef5cb68

SHA1
b21ad86190753b2568cf66b88c2ccff57cf623ce

SHA256
339c2ceb8e5ba1f7e00d2d0df520541ca625ec431a49e25f053ba7aa5ec2c4a3

SHA512
58263a660c6bd23c13da2908dea9941698e9d52f6667feb10e4dabbcfe44594175670a61775c9af45a8ea1690646273b0bf4a229b54e50a42654017b3c092136

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
56KB

MD5
8d3f8f28baafac34594a2fc64865690e

SHA1
0165e877efb557c51fa7c006aa913bfb36eed733

SHA256
92e4b8716f9c82661a8a469332918a7003d5e08b96b2235f06daf44d28854594

SHA512
70b1736dc920d24db645a2640c6523d05d4e67675c18790cf564bf9df44917c07e64f4aa91d892a4f90850d5d4428c2a0ff35c02bafb17f5c77bc7ba3463efdf

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
56KB

MD5
87568556a85021f76a20a8968cb3bb4f

SHA1
31bb9b0ada0a4d21d8153c16e164d8204294ec23

SHA256
b4d802b8468814f91542bb010281025b0c5ff0998dfbfb8d4445a495c870c708

SHA512
d51ad73c3ac5753c5377c813d105529156e1dfeb4fd2d117eb034818b2b85cc954e7ef8f4d952cd16a181c688f1bf77e89f53f84a9ea3e212be6f1273aa38123

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
56KB

MD5
7d0a45efc87f6a7d7b06b1383d7baf29

SHA1
6f8210b637789b61c2e648df9231645bd1925255

SHA256
d8ad781fcf486911138dd0c01251a14cfa507814b906eed1dce6ac36e394a0e9

SHA512
467e69267e2a27a9955df31c25b74ebdc826e11581cc8607c2440b152f5f52ffffff9a85363c3b1fe2a6992577c7d2c027f3d512f8eec6ba6b3ced84c7caa7f6

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
56KB

MD5
9ed212a46dd0529cace36b933660ed22

SHA1
1940434c28a2c0e305ab8fb9c7df53f0d88a1911

SHA256
eedfef1d09920ced858b8525f64cd41bbc8f4a88fb3acf3aad3bc74d59d0b3af

SHA512
d6e9b9625c4bcc004750925153b8d9c5dbf8158e842969e2ef9d754ca81801f3b0de8e0e3b6f5aa2ee15a78d885afe8f5d44784fd260cb9c5834da66edd92375

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
56KB

MD5
7a13c802f97878309953d367cc7d7241

SHA1
68f6065eafe0cc0cfe9e7bd88b655eabb7bc1826

SHA256
9ef323d45402413cadee542b45886d650fbbb7355ed148d3d92290f15d29e2f5

SHA512
61a9eca9921b29bcd1ea9399c4ed7a8611cbd94b45797d615a1fb54576e72a3dbb96ffb8d4121055b2963b54e4d5a783b7196a5cdbc21aa0f0da02d4a5e1f46d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
56KB

MD5
1232f4723a5022d4dd812ac8982513d8

SHA1
109cfee047a1f435e02d99b9e6165312ceebb9a7

SHA256
20b256eee2e67616505b990bbb8665659461b0ec6738df1d2679ec57e2630f4e

SHA512
74edc7600d4a68545ccd2b694f0e3f672dd3edbdc93fa99718cdb1bc4893abdc8c69e4ff1ce718e68961705ffd18012e9acc54cba99c2f92c72e01536dfc7f0d

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
56KB

MD5
ba5f2cdd521a084e6879685c98711ec3

SHA1
9462a458165235311e918b033c8c74e2fbc1e1b2

SHA256
a2160e4aca9e1a9689a28c964d357d6077e27d203f61da3bed8bb28ce31bab16

SHA512
7e8da6e03a5ef55d51e657e4fb9fd3ffbbbfaf1ccee7197d46d352afc3881d5038d4b8f331e57309069926fe89c7da132cedaa47133e8ba1154cb8825e235152

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
56KB

MD5
d1922b6ba4477cac1d037245655b57d9

SHA1
0d176a5cc01e61e87e0f0e74be007bcea407e456

SHA256
79d1a251537d029b8de0c21cf5df30d4b1bf9b575c1d9f6df2bb4f543150f8bc

SHA512
b63e5f74fe1c39044263452433b0aa5ae62d1fd25e2477fbc25cbb90c8ffc953e56be0a8e7976d17aec4309b3870639a94e26b222704cc8ffd242f38b4a0cd12

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
56KB

MD5
48163c3cb0fe5ac01bf9f7f3ae9254c0

SHA1
4570ed45eb350eeada36b00aebe856a778c4e558

SHA256
3138b87391771aecca4144372594d661198a9c093e54bb3d799879ac5f94d5bd

SHA512
935013474b29c63a083c5d4e0cbdb78f0d732ab35c423d6139198dadd0d7487e6bec60708c96936081d05bce5cf3cf37087a53063fa95f29f4a410144be17422

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
56KB

MD5
57ec59e9a6709924a176324175c30561

SHA1
8971f7421abddb1d3b8af6fe6f4fb3da1f844452

SHA256
b81e4fb85c22af34ce338e4307e89f4de511aa57e3c8af999399ddff4554f5e2

SHA512
1b2ac661f27ca0bd0d3521a4c8ae572787e99183a306e316c47b231a87ef01fd7c516f480d0d157fe427526673a6bb98e3c65fdcbeb19c739ebcb5fdc8d5e81f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
56KB

MD5
844f32f5176e323d0e45e3daf24bfcbe

SHA1
20caedbea86a8f41d2d3e6ec651fd2aa2705ee03

SHA256
9bddf3a8bb55d9277850c5e6715d4e3c334e622f85bfc75dc365ebc611c8d3ab

SHA512
44a4cf2fbfafbc2ee17ea16b8287becf7ec0b84b9246dc89129ec4e35c01ed4dbaef3174c0809e4aa87e6ca611d86c1b27f860140225af8d04bd045355694277

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
56KB

MD5
6508f1efe62f34a71ed93542800643a5

SHA1
d1b15f5d7e1728ea9640a9a6a0d83d8840b5b0e3

SHA256
523cf50af5b98c3d163a365fade68bde7bf0e27fd80cf0c281d136e460e408ba

SHA512
8d390c89abb722e4a195fcc285f06bcb4c841e00b23775439d878b6a70b8327802858388bec31f1cec361882bcaca0e3e92675e6a17c1fa9b670f4bb33e76222

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
56KB

MD5
e40c7b8a8ef0edb4401c47b9668eea62

SHA1
7d4587604a50a8f3966e7144a5555dfd09557327

SHA256
d282b60a5515e8e2e1b3a98e684d08a7a1e22dfd22e3fa0108b8e8ff29ab84d3

SHA512
6cfe415f7e07e846a3fc5b29b1df6cc2066010310012e88d5df6399d2cc0f3bd9ecd4fde2bd15e354c7f0f21b4e75b7821f7f8f12450b11118cef4db19f526e1

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
56KB

MD5
7da2605a614cb994086dcfcbec0e4a6a

SHA1
ac06103fa150ade23053308a6a2768f19a5f07b6

SHA256
22fdcd8adbc30ce011f23d7cdede11f587d361005959fc618b6e06c8e9236d04

SHA512
dc51315ee0c620a9c597ab15a9d7834aa9d27430d34fef86fe107d47f31b861bbfd2a64ea02adde546c690a0b7e50e39fc3a9bbd160e9928af324e92696b8ba4

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
56KB

MD5
ea63c893d6ab5d08a89be8402080f928

SHA1
57cd6d4da6f9529fc88bbc93762236a3f3f757bc

SHA256
ef92c8fb2bdf4f1c3ae0e45ee4afdf357fa4959e34fb5bc1ef658c36ebe2d5de

SHA512
da4409ecb35a2b48763d1db34d49bc01a9750486d60b0e6abef2d679aad49bef08da2738f86e7ec25b3eb03f1b2d9d11ec4bea095bf9fa0b908db8b394de256a

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
56KB

MD5
6389c08e87e9d1012167ee6aab74f094

SHA1
a345c0a7d154037f85e25344ada34137b66b29ed

SHA256
fbc8aaa6c13f19e1f1eaef5844cfa3c0f35abe7a1e8010624fd20f68cb1f442f

SHA512
9ab85616f61e85d17a2f6d536e18db88c5e791953683fff6f72a4ea28044cccc13882e6d8be4a2f2dbe953991b9db6bea1d097f7b85bcf4448e56b0437491bdd

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
56KB

MD5
99048853fbb97b5d72bca67fc71971b3

SHA1
0773a08c306ea840a24ed0e1282faba69c0221b6

SHA256
f9029533e92002621834c1a36028ecdf66ea13c62d0952c96e8b6cec5e6f2d83

SHA512
34ac5551f8a19b34e1b2964207b365459b0ae77938e5b9e8d7c4d1c09d20eb1d9b76e6d0dc6c1164cdd0d099d296395354a71d0e1f5cc5b26b8b09438e998637

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
56KB

MD5
d6374d3484f93f9acc15a16acdca7ea5

SHA1
9493216b1c33fd2aa6b80f90a308c3828048b246

SHA256
38ea2f048869f5ca42cbf2cf7f0f9a11c823492e5415c0aead57abe9573afbcf

SHA512
bfa05aed37bab1c38f3d06a71a68280c78a576b069208abdecfdb408c80d68e06b0249c258e83b83803d125b2268c8a784b781d694f0b086bddd7c060a269110

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
56KB

MD5
40017b538a5dfc308666e4363440b31e

SHA1
578741b3f7547a166ace34a58f8cca99b6842072

SHA256
4f560bbe43a955c8cbfb9491a7bf538c2e848abce5503d919092343fb7809762

SHA512
cbccf75b9618431541b9c0fa911f7df3beb297c1a4828ca13d24b4d31aea63c27cee85cd866cc7d52c9a3854e118be92adbf0d3f20d9bac9af67e15ed89e5641

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
56KB

MD5
de4c78b2af32a955c7e2821c0a9f9bf0

SHA1
59d6a6d466e8913a34804e3db094c51c5f12a373

SHA256
090b60508a1230ca744f0f7023414622e9ca95cf1c15176287294be42fe83d13

SHA512
2f8d6cbb7234e9655e40a1e754a79b4c4150a6f46d7811f99b28eaacf22a00a89eace08456eedd08374d8a1c7440ab493b49a8c8fc910441f3a805859bfdc41e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
56KB

MD5
a9244f2ba7936d2b5055d14b664af381

SHA1
7f59af201a0895eaec1058b93669e8bbd5136915

SHA256
bdd2677a6d3c97949371b6ba7111bac726ffa35b245906d9eb667a30b55f069c

SHA512
fc3cfbdaf9d17dee100da501035426d1cab940897658dfa9fd9d1448e61c25dbb1b82a0d0de5e8c37cc1265b37fff359a1775d354ad83ef8a15fddc79bf9bec3

Download Submit
memory/428-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4528-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads