5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Size

93KB
MD5

6e260b2cad6a76aa077f1d96d2bdf4a0
SHA1

a9e4928d80ebddd9abe9a3412c2416885c328282
SHA256

5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522
SHA512

ea17268ad09865d3dc8f88ef81bf6bf2f49b6fff57c2fb0d6e33c67445f7cf60a8cc974d1eedfc09489a65a5ee517197a728e9ada97520e678c7e5367c5d38a9
SSDEEP

1536:1BVBniTA/pVZxPKNSnsMiAKxssRQqRkRLJzeLD9N0iQGRNQR8RyV+32rR:bVCA/pVZxSN/MueqSJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Executes dropped EXE 34 IoCs

pid	Process
1120	Bchomn32.exe
1516	Bffkij32.exe
224	Bmpcfdmg.exe
408	Beglgani.exe
4608	Bgehcmmm.exe
2424	Bnpppgdj.exe
4296	Banllbdn.exe
2764	Beihma32.exe
3164	Bhhdil32.exe
4328	Bnbmefbg.exe
1028	Bapiabak.exe
780	Cjmgfgdf.exe
1904	Cagobalc.exe
5008	Ceckcp32.exe
4352	Chagok32.exe
4332	Cajlhqjp.exe
4660	Cdhhdlid.exe
3256	Cnnlaehj.exe
868	Ddjejl32.exe
4600	Djdmffnn.exe
1596	Danecp32.exe
2124	Dhhnpjmh.exe
4432	Dobfld32.exe
4924	Delnin32.exe
4480	Dhkjej32.exe
3428	Dodbbdbb.exe
4928	Deokon32.exe
2864	Ddakjkqi.exe
2816	Dfpgffpm.exe
4996	Dmjocp32.exe
4420	Daekdooc.exe
2772	Dgbdlf32.exe
556	Dknpmdfc.exe
3968	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5060	3968	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 1120	4644	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe	84
PID 4644 wrote to memory of 1120	4644	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe	84
PID 4644 wrote to memory of 1120	4644	5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe	84
PID 1120 wrote to memory of 1516	1120	Bchomn32.exe	85
PID 1120 wrote to memory of 1516	1120	Bchomn32.exe	85
PID 1120 wrote to memory of 1516	1120	Bchomn32.exe	85
PID 1516 wrote to memory of 224	1516	Bffkij32.exe	86
PID 1516 wrote to memory of 224	1516	Bffkij32.exe	86
PID 1516 wrote to memory of 224	1516	Bffkij32.exe	86
PID 224 wrote to memory of 408	224	Bmpcfdmg.exe	88
PID 224 wrote to memory of 408	224	Bmpcfdmg.exe	88
PID 224 wrote to memory of 408	224	Bmpcfdmg.exe	88
PID 408 wrote to memory of 4608	408	Beglgani.exe	89
PID 408 wrote to memory of 4608	408	Beglgani.exe	89
PID 408 wrote to memory of 4608	408	Beglgani.exe	89
PID 4608 wrote to memory of 2424	4608	Bgehcmmm.exe	90
PID 4608 wrote to memory of 2424	4608	Bgehcmmm.exe	90
PID 4608 wrote to memory of 2424	4608	Bgehcmmm.exe	90
PID 2424 wrote to memory of 4296	2424	Bnpppgdj.exe	91
PID 2424 wrote to memory of 4296	2424	Bnpppgdj.exe	91
PID 2424 wrote to memory of 4296	2424	Bnpppgdj.exe	91
PID 4296 wrote to memory of 2764	4296	Banllbdn.exe	92
PID 4296 wrote to memory of 2764	4296	Banllbdn.exe	92
PID 4296 wrote to memory of 2764	4296	Banllbdn.exe	92
PID 2764 wrote to memory of 3164	2764	Beihma32.exe	94
PID 2764 wrote to memory of 3164	2764	Beihma32.exe	94
PID 2764 wrote to memory of 3164	2764	Beihma32.exe	94
PID 3164 wrote to memory of 4328	3164	Bhhdil32.exe	95
PID 3164 wrote to memory of 4328	3164	Bhhdil32.exe	95
PID 3164 wrote to memory of 4328	3164	Bhhdil32.exe	95
PID 4328 wrote to memory of 1028	4328	Bnbmefbg.exe	96
PID 4328 wrote to memory of 1028	4328	Bnbmefbg.exe	96
PID 4328 wrote to memory of 1028	4328	Bnbmefbg.exe	96
PID 1028 wrote to memory of 780	1028	Bapiabak.exe	97
PID 1028 wrote to memory of 780	1028	Bapiabak.exe	97
PID 1028 wrote to memory of 780	1028	Bapiabak.exe	97
PID 780 wrote to memory of 1904	780	Cjmgfgdf.exe	98
PID 780 wrote to memory of 1904	780	Cjmgfgdf.exe	98
PID 780 wrote to memory of 1904	780	Cjmgfgdf.exe	98
PID 1904 wrote to memory of 5008	1904	Cagobalc.exe	99
PID 1904 wrote to memory of 5008	1904	Cagobalc.exe	99
PID 1904 wrote to memory of 5008	1904	Cagobalc.exe	99
PID 5008 wrote to memory of 4352	5008	Ceckcp32.exe	100
PID 5008 wrote to memory of 4352	5008	Ceckcp32.exe	100
PID 5008 wrote to memory of 4352	5008	Ceckcp32.exe	100
PID 4352 wrote to memory of 4332	4352	Chagok32.exe	101
PID 4352 wrote to memory of 4332	4352	Chagok32.exe	101
PID 4352 wrote to memory of 4332	4352	Chagok32.exe	101
PID 4332 wrote to memory of 4660	4332	Cajlhqjp.exe	102
PID 4332 wrote to memory of 4660	4332	Cajlhqjp.exe	102
PID 4332 wrote to memory of 4660	4332	Cajlhqjp.exe	102
PID 4660 wrote to memory of 3256	4660	Cdhhdlid.exe	103
PID 4660 wrote to memory of 3256	4660	Cdhhdlid.exe	103
PID 4660 wrote to memory of 3256	4660	Cdhhdlid.exe	103
PID 3256 wrote to memory of 868	3256	Cnnlaehj.exe	104
PID 3256 wrote to memory of 868	3256	Cnnlaehj.exe	104
PID 3256 wrote to memory of 868	3256	Cnnlaehj.exe	104
PID 868 wrote to memory of 4600	868	Ddjejl32.exe	105
PID 868 wrote to memory of 4600	868	Ddjejl32.exe	105
PID 868 wrote to memory of 4600	868	Ddjejl32.exe	105
PID 4600 wrote to memory of 1596	4600	Djdmffnn.exe	106
PID 4600 wrote to memory of 1596	4600	Djdmffnn.exe	106
PID 4600 wrote to memory of 1596	4600	Djdmffnn.exe	106
PID 1596 wrote to memory of 2124	1596	Danecp32.exe	107

C:\Users\Admin\AppData\Local\Temp\5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe
"C:\Users\Admin\AppData\Local\Temp\5aa4ce7a80bfb215b62e54e49fe4bd54e66dc770bdd17c9d87eb39d49b643522N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\Bchomn32.exe
  C:\Windows\system32\Bchomn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\Bffkij32.exe
    C:\Windows\system32\Bffkij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\Bmpcfdmg.exe
      C:\Windows\system32\Bmpcfdmg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 220
        36⤵
        Program crash
        
        PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3968 -ip 3968
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
93KB

MD5
b71690d44b085bcdbcbeade1700395fe

SHA1
1ca71fef7078ae9438b64988ac309ba19b2e5424

SHA256
470b71ad29ba3d5baee5d4accb76b58567592936f339dbf4d7ca8aff24881a7d

SHA512
f72ca0b66e3811fb936798d55d94e30d60404f9aa71c0b77e3750335405922ee3b75a431b51cca50ca347a8117af8fa9796cc0b36280683df401559c0e88ac39

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
93KB

MD5
a1b0aa1bba893571422f99c93ee23a71

SHA1
3b19c92a0dc0b9071efd6111eb0d8a83aa9b48bd

SHA256
2c1fdb55f30e8bf2ab34353829308f29cf53d15676e4be1f87c73be5073c2a66

SHA512
1e9eb949650fdd4075dd469e02df8ea9e13ca93a6e863941fc0982681683a75f70469e617fdc955dca93a3653358914f059dc03088e5fe6cb1b905dc127fe2fd

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
93KB

MD5
c290507e82992820dc22bd79574e2bca

SHA1
82df0a478ba7c09f6adb17f1daae3944dcb46e2c

SHA256
97343ff419dc3e00314a529d21e4bf9938ccbf04ef08f287ab3baf7cf17929d6

SHA512
4b5606ae919905c8571019cfa181bf8ff0b6ba005d15c365cea014863a841e0737d14615cb35499e5c4358d7064b4a205c2f2f36db47f418fa79cd2fa584c24e

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
93KB

MD5
c37ff5a95b41050ee546f56761a14c73

SHA1
dc76ef85879c872ab9692f4eb7b2cf3994a6a690

SHA256
b505671ded40933c999e7ee0a6203c872fa047f742b9bb9c28f94ac6861586a7

SHA512
581a46847b8e9c9e23b9652aec3909c43a85eb137c3c2fb61d80f131384bde786573a0540998e36770f700df635425530c44170a0c990cefb181a1555b18228a

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
93KB

MD5
aae064aabd72a24b083a019a1c20e361

SHA1
806d6e6d0f45fd208e4f01b75d9e75829ee5d88d

SHA256
5c0ac34e2e9262492ec4089fbaeac35bf6d50d7caf76f7b95ff223adba154db8

SHA512
fe47c208fc414124d14e2113e650418088c9b7291c3fac2d5facf734d6d38f74ca1a879acaa1efa4eededef2612a9f88772f7a433f612480e8db555abf93ab23

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
94cf7817a641406a1a057c190220bb28

SHA1
bbc1a4f6d488769a91b8c5090365d0ab3913c176

SHA256
f4fbd839e6533f0cbcfaac530814c9479dd6014e9427d5918905aa517f85560e

SHA512
1d037a3cc353ad9f292c6130c85f5d009489d090c0a515a7a8fe9b0b52161a1bd764b3b9dfea88279888572a6e73a8e302caa197c7b3d8e6dd5a07b90007290a

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
93KB

MD5
c11fb0336b45ef6c55e69149d0760601

SHA1
274af8f59051e5b87d8fb4c8ebdc1ec11aa1f0a5

SHA256
d3deb12a63f5aa537e0400241d8c537befd4043af3997b643f151076883676f1

SHA512
d9ad46606f03812dc6f4186460369390eb5b642830344bbe1edd24fdc4e48a42b9b3a4b086937fe7c4c31e490b7539cfd20f31e833a9dab7426f2e4df0e796c8

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
93KB

MD5
6fd9ccf929d4cc045536d260bc760992

SHA1
c4ef2c1aa0b2d0dc17fc0419546533494a68eb5f

SHA256
7d652351afb35e64d49dd1425fd2036b57d8869eaca6fd5cf8853461506ab5c8

SHA512
f258d033d42830eea572b76a5f3091acad5d36f1c2b91a1bee564ee1821dfc1e9ab8a0915330e9d83982b464ca22f3b1649b286a2f485758d7d0f2e794bce2ba

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
93KB

MD5
f5307af3b2b5c68d8ec6b8f11a7f781e

SHA1
9234c7ee7ee0f4241d6fae34b98a80119c86db6e

SHA256
b5ac1472de351488ec88078cc37acb6b0ed3a21ac224e44704225247a6531fe1

SHA512
5f75cc519db57336d13bb5abedffe90570772eb810a3136a977613a02439bca4defdbe057032da58493f5198c05fd1d96f405560ef4d308c558481b601401e68

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
93KB

MD5
7e67cedd9139932b0868d935fd122efa

SHA1
e4c49a4a83e6329e95195da3bcb2aa233fc2c5a2

SHA256
047dedf8d671fddb6901553bf17bc9a4c136c11e201b1d5eb8b676ce583276ad

SHA512
fc426e427633c510adc5b06055bdb72474160299578886ed4163d0c9363567660d4eb824519681ca01a7fc136d869603526b254d047022948851179fd481ccc7

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
86660ae522df64e00268bb4c9a0fb134

SHA1
fd86cb48cfc9b03e3f0f680ef193da51c88de6a3

SHA256
c7408cf451421aa365fdaafdfca0a194bc4af1615b74e8a1182ff4500077329c

SHA512
1aafc4a50d26ef8444d66a4fbfc6d7ebecd6e214a100e1300cf9333637ffb779e327502f7dfb8b46951309811f6a937fd10df2b8994036fba8ff29312431e8c5

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
628d030e63174e171e7a6d86e0028934

SHA1
8d70d817ae6e697b5358d47c3f0ae6bdfd78b3c2

SHA256
5015a74ca900765e18ccdaf6a5d7e5a5a9ceac5284d39e75c70dce56e897f702

SHA512
5a17107168ff7154a5fefa5905213a238ba2d7b4cc738936359cb2ab122893b8037ad8e3627944e2521aac701044e6e46ac89204c397fbd56533fc002da8fa00

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
005de319f3a8d39b992f76e666b6c337

SHA1
c0fc7c8cc7f91c53201cbdfa23330804da4e81ec

SHA256
0c601efe3666cb9390a2eb10d196413063fc3daf2fde1956344bf88117eb0c47

SHA512
ff1b98e775de484e9fe2c35f8ee59e7595ba56bfa4b752c6bff3c7d2d873710923d46d9faaa86e88c29191618b0a53bbe9e9f2827fe3240b4fbcb51e7cdae3cc

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
a4dcb4a328cc3bfedcf85cd9ee518def

SHA1
e20af045388a23ee68481eb2c72824732d7f6169

SHA256
f01b4f31c098f8f64805eb8ab9c13b204d4de091e74b0e6e73c92d21faabd007

SHA512
eb018b98870e45026314a70fdfee15cd5b12d99f8681b5abf9d77ff63290d6d824f88295c5b798a73e4aed2043c6a6e91f3a6d88de6d8a77739436c356192e91

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
bba0d388dc0ef29405b48fa26c472294

SHA1
dd26a4242b69d65b4cc9e4ac9cb214ce8a8186f4

SHA256
57016f4b2a09ac080be1f06520be59b545219569436ad82168e0b261c5db6816

SHA512
b8095bd398aefcd728f48ec1eb24c072fc427ce04e98d36a106c8638d429db342df7521ab42dc6fb9321756723e2b7ae4dbb7dd6b6734113ac74ade7bbf587a0

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
93KB

MD5
46e857eaa25c91b83786e5d2372022c0

SHA1
067e9603282eea7cd7451b9375fdcf048f6078f1

SHA256
caf82970e920a6334d07351c8b99afb3b90cdbc3e3b225f38e1774e4f4fb5d9e

SHA512
793ec2709f320e452602935764e9e8447cb9f016eaaca82ded287f1a364467e862c65f9446a695accd81551c1204ea64a0903c45c008d21edd33e084691f727b

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
93KB

MD5
73f887fe7681f36d5a2fe239ee07c1f1

SHA1
e857c933b5e19f1e51eadf02589c16ff5ee3e80d

SHA256
5845be94287c87e5657e8d2e7b023bdf2f9f9a23a822d231732f1be5f2cf938b

SHA512
5c217d2f0c8507fc721e0a54f070884350f5f3510b57db7d75deb2bdc893f5e4a4230b90c9c26b9775891e08d13cfb3aada2edf46001268e31fe8db1e2ec2730

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
93KB

MD5
0921f6ccdd843b6154fe3e12af00917d

SHA1
8c2955c7c8cff5a41c0da1115109d1d8c1f1f2dc

SHA256
cfbf565fd85126201015914f182948bde596c57e174968bb763ef2473bafa9b8

SHA512
529fd8ac2bfa5a8c83a8c30e97d3a44dac61ca2f5ce9a52587efaaccb6ad605d752c733ee76511a6a38cc29318438a40d5c35ecb101abd6380cc279757061613

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
2a772a424d219e2f1287c77316537ff5

SHA1
5bb0845a877804f58216c8ee5294f7ad7e555c0a

SHA256
4475e116a7ebc4e72af359d50bdfd0085a672309d13a6211b0511b270d6aa52a

SHA512
ba0d70994969bb4d00177bc2475ec23189bed3d2a6e69336cee79398508dc63d57c2e21f3521039b9fac692ea6e71985f71c2f33144c71809923c9bb1263c205

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
93KB

MD5
94687b3c8866720647a2ec29acbbbb1b

SHA1
e63f0def71aaecb0a1eddcd484a7211110df3bb0

SHA256
deaf487f36c040bb6b2e60f822458a127aa0d89f895797519e0b6d736e809f36

SHA512
aeb04364236e89fd2b07269ef97beadff0593083dca6c493caa6b5c249d24cbd6de402ffa5e62cc5d58ba7544e15168315ed8a9d79e40c6a92427ee660bd1e3b

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
f19e0c83f3d4d9110e7915b197cfd6e0

SHA1
435f9098946200d42a91ffb94cc4d8aab597a4e1

SHA256
58f61f499fcf0babef0962e6bfe89c53eed632df3530d7b7224b0392a87f5b80

SHA512
5c1f1aaeb3f8dad8fa6a01deaba04a2d4fdc869705b65a334f72bdf569d1553c56ca07a47fad657e4c829994b7322ae1a65b59632d3b86be9aad454bf7b26aaa

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
ba38431f06c9f0517fe25487f2992737

SHA1
e13311b58895122460e8bd7b82a3c41570faf294

SHA256
fa38369a913049d2a6268df0c2fac4bb30b14846ce8f08809330539fbd2af8ee

SHA512
48e3e181de358e25d8f257516cfa7259c447f70bd39619061ffa9b8536363b71238dc998c595ccd1706a438064c5b952a3b219ca6773dbef8caa37a4ee602d1b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
93KB

MD5
984f73b1ba6695e1fac338da25f3dbfa

SHA1
a5a38dce5ddd43adbf67ecd25c09416019ad61ae

SHA256
e42b983ef141f756adf14db45ab2651be9fd588cb9997f05289c0f37fc0e31c2

SHA512
4933fa26d1a71d638fbfa362526d4307de13615b2351abe047dc8ae44f5c088cd5c55a01f816a0dedfdf63e695fc65efb24d81d4d2f502b0296b2e0eaed59c6f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
c1a388291fdd22b81b8ee74c09491822

SHA1
fea894cc610d143002b4bea4ff9f2df69234d7f8

SHA256
0fabd81b788749add12c86c4514176a9f2d6db209ee829bff202f1d0e0ce9760

SHA512
cc74b3436f3bc71bf218e3a5b7bf93082773ead70ad9937db4d93072fef4dac29e41fa13824b924cfa9cbefe5ce2883318867d5892b549c45da29f3cca2f07d7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
93KB

MD5
cdd6055044bb663f4608f7986b08345a

SHA1
4f074e183bc9b48ac08f2afdd24f7729a1735a02

SHA256
f54df3b45be00ff2b09467ccb301087b9029a8899b41cb3e7d5846553ffe0953

SHA512
e9f2d2f608c8b884bff10f083e0a2c76e7e699691344c7131e3565c794a67fabe506fcb0930fa29103b2100dfbcd068ee182a2a99e884e71cdbf0fbf0a2b6d6b

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
4e60da4bdcc0a307be7c584debb2f1bf

SHA1
4938f9904a2584f467247af6c7fe2d42590a2c78

SHA256
18e1d3fe89aed07cf5fbad0294a25b3e87f0442657491562e7c7d7018f1f1ead

SHA512
a7c4ef83031f66284a0552ba2ad483fd0b7120acc6bded3c4b306530a0d6055c75d022d807b2464d8138767b964693a6b6ec067c9319f30345945f802acf57e4

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
2ca6f1ffc291b0d8d6343317c8c10ee4

SHA1
55c233e93345b1a79d20ce95e042d222fcad6ae2

SHA256
d3769661942ae1b160c7a1c112c10033c3b1c78e968ee1ef78f3052a92e8bcff

SHA512
4864d83a0bda61c32cc49f5ab981ab5f1e3d7c774bc596dce1eea31f0ef59deb47d05be2d8309c7c8ed83ac8937a201ec9a3fc3749e56863421239aff01e3329

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
93KB

MD5
b66d9345ee71c492ea0fc83b8cb09415

SHA1
08d7516741504c367577839023d432c7e3fd2a5c

SHA256
c31c526806594e3701d7b30de372867dd4d3b5eb9b841fd88c3d198cac4e7170

SHA512
5303a5a31ad1a0a52587be5d4e7e5f02e8fb9dd9cf79160966d14ecca8925be6cff5caeb23800b5c2fd6c81d7f2e89a8ae9b8882f979daad5a4bfc5a08bb884f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
93KB

MD5
aeb4692b942d1d32e9115a35542ca4cb

SHA1
36e61f7a8c0b66c47d4ec2fea23c4c10912592d9

SHA256
f8d4a6f92635556075443acd19090c0336bc3b631f8e915f678db9886517d8a5

SHA512
7c4ccaea73d4b9cf0f7df9ca034458de4249ff3f6de72bc153f4f63fd624e343c5f63628c7a01dbe7c84da6429970a3019f0994d6c3e0940799d080fcc466a6c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
2813f8a9419a61ce6cab76ea6dc4d857

SHA1
ec31c311954033e70cb00b06fc8ddc6ef31c69f8

SHA256
a7eff54a2039877b693f0d48af5d78f14736002c45bac5638c433e62de34d0a9

SHA512
e2cbbc32e6bd1001dab6b97dadfde6ae2b57972c4dc984dd73978d0fd83baf3709b291991551dedba10cc07da827c7a3833a02f4838c58dc89f1060e952b56d4

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
93KB

MD5
9023958a4e2a75f916739f343f1c42af

SHA1
e3b1182bd1dc668f9261e2d9ae64e62c213aba1d

SHA256
b53b41f4baadd1a0b892d62228e4d314e509747f68742f254147e07791e8ad9f

SHA512
08a1cdc212e5ae04a023ba706ed1e3b540fdf7fca673eacd0eed5e15e188860cfd51d07f92bad520f0c25bc433240caa5430d4b2390310b6ec5e7363e0a85375

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
93KB

MD5
5a59707d5feb213cdfbf27f23504a1d6

SHA1
efee8f5b819313669e9bf448fcd55de04158fcbd

SHA256
306501f7b5fa0623589a370deff8d718bba15b2bbc5403367baf45295daa9380

SHA512
db52eaf4c528d39fa8d0b5a7405493bd91b2c89255e5c3f6517aa351028d917bd3471c4e189420cc277c6e1ab9f646007ffce68d621eded7a0fe9526b0a49ab9

Download Submit
C:\Windows\SysWOW64\Ebdijfii.dll

Filesize
7KB

MD5
a88190f5aede8814397be5de77ccad31

SHA1
0927172fdd972899cac1650189879a9fbe35b2a4

SHA256
b919afbaff0067313331fcffb55af5b236a6a2b270ba8970248da9c7e037f30c

SHA512
25806ae4502081c1b8b6d633f502335436e35709707ee56533a78f54f3188fe9b02f8bd045d1bcc52af8513461e1791b7708f662d27e65c4b41fa8d4046b5158

Download Submit
memory/224-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads