576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94eff

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Size

89KB
MD5

a5846871d41c8ebd469bf7e1e9938140
SHA1

3efc50a96777311adc5de014a5b177480109611a
SHA256

576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94eff
SHA512

2d9b3a5af46986103bfaa54f6a8f487b961e8e70bf1f60571af9ebf82d54573fe16ebf1fa9079a30b8478762f902502126766110fba004de55daa0aa5e84a0ad
SSDEEP

1536:9rhkH9Xyc6x08KB1ioXN9VirAmIwrNM/umjW65uc9lExkg8Fk:92dXyc6G8KDN9NMC/uIpuc9lakgwk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe

Executes dropped EXE 29 IoCs

pid	Process
1796	Bfkedibe.exe
1280	Bapiabak.exe
1828	Chjaol32.exe
1316	Cjinkg32.exe
3496	Cndikf32.exe
2156	Cdabcm32.exe
4484	Cfpnph32.exe
2600	Caebma32.exe
4756	Chokikeb.exe
2272	Cmlcbbcj.exe
5112	Ceckcp32.exe
4140	Cnkplejl.exe
2888	Cajlhqjp.exe
3672	Cjbpaf32.exe
3628	Calhnpgn.exe
4636	Dhfajjoj.exe
3316	Djdmffnn.exe
1100	Dejacond.exe
4116	Dhhnpjmh.exe
3700	Djgjlelk.exe
1868	Delnin32.exe
4604	Dfnjafap.exe
4440	Daconoae.exe
3208	Dhmgki32.exe
3908	Dkkcge32.exe
1804	Daekdooc.exe
2956	Dddhpjof.exe
3484	Dknpmdfc.exe
1492	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4392	1492	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 1796	4512	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe	83
PID 4512 wrote to memory of 1796	4512	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe	83
PID 4512 wrote to memory of 1796	4512	576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe	83
PID 1796 wrote to memory of 1280	1796	Bfkedibe.exe	84
PID 1796 wrote to memory of 1280	1796	Bfkedibe.exe	84
PID 1796 wrote to memory of 1280	1796	Bfkedibe.exe	84
PID 1280 wrote to memory of 1828	1280	Bapiabak.exe	85
PID 1280 wrote to memory of 1828	1280	Bapiabak.exe	85
PID 1280 wrote to memory of 1828	1280	Bapiabak.exe	85
PID 1828 wrote to memory of 1316	1828	Chjaol32.exe	86
PID 1828 wrote to memory of 1316	1828	Chjaol32.exe	86
PID 1828 wrote to memory of 1316	1828	Chjaol32.exe	86
PID 1316 wrote to memory of 3496	1316	Cjinkg32.exe	87
PID 1316 wrote to memory of 3496	1316	Cjinkg32.exe	87
PID 1316 wrote to memory of 3496	1316	Cjinkg32.exe	87
PID 3496 wrote to memory of 2156	3496	Cndikf32.exe	88
PID 3496 wrote to memory of 2156	3496	Cndikf32.exe	88
PID 3496 wrote to memory of 2156	3496	Cndikf32.exe	88
PID 2156 wrote to memory of 4484	2156	Cdabcm32.exe	90
PID 2156 wrote to memory of 4484	2156	Cdabcm32.exe	90
PID 2156 wrote to memory of 4484	2156	Cdabcm32.exe	90
PID 4484 wrote to memory of 2600	4484	Cfpnph32.exe	91
PID 4484 wrote to memory of 2600	4484	Cfpnph32.exe	91
PID 4484 wrote to memory of 2600	4484	Cfpnph32.exe	91
PID 2600 wrote to memory of 4756	2600	Caebma32.exe	92
PID 2600 wrote to memory of 4756	2600	Caebma32.exe	92
PID 2600 wrote to memory of 4756	2600	Caebma32.exe	92
PID 4756 wrote to memory of 2272	4756	Chokikeb.exe	94
PID 4756 wrote to memory of 2272	4756	Chokikeb.exe	94
PID 4756 wrote to memory of 2272	4756	Chokikeb.exe	94
PID 2272 wrote to memory of 5112	2272	Cmlcbbcj.exe	95
PID 2272 wrote to memory of 5112	2272	Cmlcbbcj.exe	95
PID 2272 wrote to memory of 5112	2272	Cmlcbbcj.exe	95
PID 5112 wrote to memory of 4140	5112	Ceckcp32.exe	96
PID 5112 wrote to memory of 4140	5112	Ceckcp32.exe	96
PID 5112 wrote to memory of 4140	5112	Ceckcp32.exe	96
PID 4140 wrote to memory of 2888	4140	Cnkplejl.exe	97
PID 4140 wrote to memory of 2888	4140	Cnkplejl.exe	97
PID 4140 wrote to memory of 2888	4140	Cnkplejl.exe	97
PID 2888 wrote to memory of 3672	2888	Cajlhqjp.exe	98
PID 2888 wrote to memory of 3672	2888	Cajlhqjp.exe	98
PID 2888 wrote to memory of 3672	2888	Cajlhqjp.exe	98
PID 3672 wrote to memory of 3628	3672	Cjbpaf32.exe	100
PID 3672 wrote to memory of 3628	3672	Cjbpaf32.exe	100
PID 3672 wrote to memory of 3628	3672	Cjbpaf32.exe	100
PID 3628 wrote to memory of 4636	3628	Calhnpgn.exe	101
PID 3628 wrote to memory of 4636	3628	Calhnpgn.exe	101
PID 3628 wrote to memory of 4636	3628	Calhnpgn.exe	101
PID 4636 wrote to memory of 3316	4636	Dhfajjoj.exe	102
PID 4636 wrote to memory of 3316	4636	Dhfajjoj.exe	102
PID 4636 wrote to memory of 3316	4636	Dhfajjoj.exe	102
PID 3316 wrote to memory of 1100	3316	Djdmffnn.exe	103
PID 3316 wrote to memory of 1100	3316	Djdmffnn.exe	103
PID 3316 wrote to memory of 1100	3316	Djdmffnn.exe	103
PID 1100 wrote to memory of 4116	1100	Dejacond.exe	104
PID 1100 wrote to memory of 4116	1100	Dejacond.exe	104
PID 1100 wrote to memory of 4116	1100	Dejacond.exe	104
PID 4116 wrote to memory of 3700	4116	Dhhnpjmh.exe	105
PID 4116 wrote to memory of 3700	4116	Dhhnpjmh.exe	105
PID 4116 wrote to memory of 3700	4116	Dhhnpjmh.exe	105
PID 3700 wrote to memory of 1868	3700	Djgjlelk.exe	106
PID 3700 wrote to memory of 1868	3700	Djgjlelk.exe	106
PID 3700 wrote to memory of 1868	3700	Djgjlelk.exe	106
PID 1868 wrote to memory of 4604	1868	Delnin32.exe	107

C:\Users\Admin\AppData\Local\Temp\576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe
"C:\Users\Admin\AppData\Local\Temp\576d045e8dcf579cdd264070a5283bf3310c7774cb0edd00079260ec21c94effN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\Bfkedibe.exe
  C:\Windows\system32\Bfkedibe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\Bapiabak.exe
    C:\Windows\system32\Bapiabak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\Chjaol32.exe
      C:\Windows\system32\Chjaol32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 408
        31⤵
        Program crash
        
        PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1492 -ip 1492
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
89KB

MD5
2ccaf9a7a400cfa8a45aba058148fd7e

SHA1
72162c4769f2635fbba648d6cf715290b8fac022

SHA256
7aba283a111e13ee5fbba966972a19f101f8431b57c6e6085ff5b021386062cd

SHA512
24a8cc7ed86db378b6ba500eba39431ce4919e17231ac82a514c1b6398ca6acfed37ffadacca22b6973d77ff36b0588aeb3786af3c59381ba230d8b8abc59a08

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
89KB

MD5
216e13c711df92cb4275a2ad4b0c9314

SHA1
504d6140475dd6d5bacefd7c92bd6a98864fec3a

SHA256
fc3c463e4af4e96a6c97ad6951473e50bf18fece02b06cf0fa842e144bd3ec08

SHA512
84dc3e92f3511c1c2a2efa4e7a8b05ae13483ebdb3342a2e47f28d1f0bfa265cd01707c341b40c13fc6d063e76dfcf78d55d22edf0a0097b2b1865496d5bb54a

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
89KB

MD5
1cc93d36ef8fe4647604f2b6c4de8ec6

SHA1
49fe8cddbd517d27b9835867ccb01743a192a2be

SHA256
904694130cdd1e2d374290d6fce3262f356eba4b34e4416857c0dcfa72d46243

SHA512
f1499633ac195e95229827e947f95af3393769fe2f5ac6bf2b9ac253cd802b47a9ff8b51f798495ff2ebec09390003e609a06f67450565ee1ade816d96c2c1d2

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
89KB

MD5
d6b5f392754d6d8118203b328c015b5c

SHA1
740f5f128da8c4c9db3f3bef2fc02c75948c61d6

SHA256
97cbfe484063be6d9f2d6452f9225a97690125dde449acf738d0556333f44db6

SHA512
93fc600087154e9fe3c12ee35068aba994a0d704e362e2da0e0168f05be9da2fcff40b154ee3fcd49b0c2b5df29d86cf752b1b4941490c3a9b596b4992539f9a

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
89KB

MD5
0b36e1802d2f30a7f220c3317ad27256

SHA1
6fc1d7b29da4b412e8cfdfcb6c3129939e167f4e

SHA256
25fb28410a78cb10c3e882828d5a9d410c4da692d818ee50773dcb3d783d00ab

SHA512
e99970ade6d9c57edad0638427060979a922e4de8e6bee1e8dfdf6fe63ab261491ce9938faacfebf249bf8252c50f6f243170f2bf15137edf457d855b4a022bc

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
89KB

MD5
716b37959ef05026d234c8715699b533

SHA1
36426e36978745741fbb25ffd2ac902c838f4383

SHA256
fca64fee0e4d314d1be611692d6e49c4af2d5966f41033114b57523e23984539

SHA512
f9dec12765e6d10bbee1d8814de358069d7be6817820164f7b341c593df29020ea23c62f24fa26c7daee2d2cf5a7a3abcfe2bab5e97f0e6b37513e9b16e8ed79

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
89KB

MD5
0650d92250bf9cba513b4b6accda5e0b

SHA1
0d45288b9568185e3a4d3801eb2f95ce6cb4acf8

SHA256
61bd3a2e59db2cc1edebe549380dc94deb8e0d2307291b3707cd49af4fc74bd5

SHA512
a5a8d057dd1aa53ec2f8d8a72a223a6cc830e1102495728bb484e5ff25406d3dc95af0f290c263c8ec87396e45033995abc386ef7cc885f8aef485bd598f5907

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
89KB

MD5
77014ab9b97a2dcf415b2be382681457

SHA1
b8d89b8294d00eb257c00e7342548fac89655532

SHA256
4dcc6802de71181e58c3d98981cba8e17f231e9b8f3c158aff652271c09efb08

SHA512
a16f0efdd15190643f20c545de30e6fc1dcd3cfb00b921cc76d2e3270fd73ffe8d09b5ecc58dfc6ffc240a05277cdc3d3f426372f4c98078cb12de35f5854705

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
89KB

MD5
d62e260c2601843338e2c63ea2b81aa1

SHA1
8924a1eadcfe7386429bda641d56b79bf4ecc028

SHA256
10264f3b707a49d5f9f7639c5cd2bf746658560cda648099caa2ad1fa51c1fed

SHA512
d64c6d8e2aa9dd5bfaed92d4b41cc6d8becf89140c5107ffda5ad044061dc2d7eade6897075842c9c8e103c71f7d95dc8356419c4e0d90b87a4ce19f57f1c914

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
89KB

MD5
ca0751fdabe31ee0d75e6a1e49d7b091

SHA1
da82e669edc16344657980f014312dfb926b9237

SHA256
8cfc1cc89d5f58654f60671d1f76c6f6d4fc0443c302ce3a71790eaf7ff83975

SHA512
7cf6031453a3b35c240f06e77723c947202d5eef04f1ac0545e8eb3228364bad28847182c0960ede220f5a9a15f8f1f3634211214ff596258ecd5e02391ad327

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
89KB

MD5
a746f3ae463ed12f4a0475be2d614d7a

SHA1
1bf1db48a4e4d3eb21b924bf17649ebde0fcedd6

SHA256
886de5040e5144bff5f8279ce2bedd6a51554396f54b613fce887ec43290a7d4

SHA512
ae4a0c3130cb947bcb2d3c0bcae783608e15da5ab4930297a18a5b98cfd8f0fd9fe04e11ed77618026e182ca687ab4a507332da65321ae33ef6958d2f4149ac5

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
89KB

MD5
c80c9a25be9f239515e5683735b0a693

SHA1
150f6493c104703ec8b50f50d6b73ecd7a431774

SHA256
49d3e920f786a441df916a9485868b21208c03d57f4f1d3f91b922275afcd816

SHA512
78f0557a55b85cbce132f3d599c8ce44fae9e4663f1fd5f12b9ee85f1cbd7fe2d4530f0a2c76ce757a3d0b43f5e4b04ec97dfefb3498b2e7bbd7a096ecead3b6

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
89KB

MD5
1e3dd5c4ce2cec841ef8e3bb50a372f8

SHA1
15fac5fc4043e3f7f854a3ad5ddb72c6b08035dc

SHA256
c046fd0ed8a748631b0c4789d6e744a024c0f1e10c142c1c5152fa191d5fde5a

SHA512
992f4853a06ea3967006692439e0b11a994dae469f926d7708d63c8b70ea90e467b122b0a9adc2210c279cc00ac06433e0c0a04c8778f78ec92bd0372032fa4f

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
89KB

MD5
cc1562c94028d1fca67b52e2bd9a1df0

SHA1
069ea91b00c8e9849383904eaf3441c48a6216d7

SHA256
53ff732545bbb5a72e32570eabbbe8c605ddbfc7270e31918f0b75ca03024d5a

SHA512
7022e21f2388ce4b9613bfb5925ed4bd7a5c9062736e515ef5dde908d2e22b36f10cc441917b30ecf775312e98d73b616fcfae4ef40b5eda3da3bd1480093fc2

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
89KB

MD5
6ba96b98f38d08db89032c9284cee526

SHA1
a979c5d6d5ad071345a4bd665ba9d13c752f1cc6

SHA256
e3ce68423409bc7aab6c5e57a599ce9da09fbe584d7e9e18e1655f592a30c52c

SHA512
96233086c49e893ab076a2eed750ffa7e5ecab41bea89174f7c42e4fd5bfc63c19ad6d437b139ee33572438eab7e1a4ebc51fcb7ac569f322c1c555164457e43

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
89KB

MD5
70a93c17e46ef98b238418bd172d3fce

SHA1
2a95cd8c433fec72ba4887ed08ba55af239a2a56

SHA256
f9607b637fc9b465fa2784bce323b89a3e2350893e9c350e359f67a3c85f9e59

SHA512
d95b722d8ecc19095eb345760879a6a7ee219a2abb6a191f1342bb330f2bff258e5dd83368db5ae58e96cacb8d8f5c97d4283e508550679594909cbdf91cd70b

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
89KB

MD5
aaa37f7feb068f7d95321998d0b260d6

SHA1
6a4c5ab2a5c8bb365ee17bcc8b0eb7ed4d548cb7

SHA256
073425283f3e7860db145fdd28162c9c737593ef30e53c45070d7f2ce4c42167

SHA512
d032b62d3fb4c90bbbc9d629ef123067d1ab910218b9aaadd200d40e0d64cebe5a1848cc9b8a27cb603b54eb61d577055a08999c76cd15a3dbd57801351e0e15

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
89KB

MD5
cb227c6e1f68876d05f39fe224596681

SHA1
ec6939f851adaced2fea451ef5e5b6ff90e66958

SHA256
7fb26470ae386ca5394213f99b6722b2f342ff0cdae396de9dfaae2a9d960357

SHA512
34df7f3311ad6d6d8bc4d91011312fe7750ff15d479a265528c4678817ae5425842d2152f81aa92ea741c5ee875c5893f89d8dadcbecac9b9d518f2d2d98e884

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
89KB

MD5
3288d1f1f4a0d42a415581d017a543a8

SHA1
a251a6e97de592f25eb5a1a8f379e1b39f21807e

SHA256
52815722f28451ec8f61ff8d8368af7fa23de809a354d2f883021f415eca828e

SHA512
3813d8fe6a97774a18a7a7e34e6a91f0fa1cd2cee9dfe2275f2a80162e09b09d31228a2512b467212e7979940f2d252a809787c58600ea6c27f9143ba59c2d75

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
89KB

MD5
1ca3877aacce1fb577b3abda67b43429

SHA1
0a413135491c1a513e6165810c47057359d68bbf

SHA256
a4c5476f4c00c72fbf981b0ca45fe6efcb1677c42ef959b83c15693578f4601f

SHA512
d09e2a4d307d19666b2d07bbd9c47fdb076a6d7980fb9e3285eb76c9d79abb45c9b16550a15d92fe33c19913b903082c4ebcbbf3f32f2a067033418199c9ce66

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
89KB

MD5
9cc1469501283f6c3f0cbdb658f5b18b

SHA1
13785c49d497abf730cc6397cb06dc37905fd6a0

SHA256
f20e2cf17393937d089b0f5df70a48ced77c69e20dc6108ce824dc7e54e1ee24

SHA512
12798a34a154ad54473ed62a53aaafe9cd496f426ffb74a97e6384acf0ee9be8361c85e3d602d3a083abbf65e0774374ba914d67c4badc9f0cc7502816f43282

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
89KB

MD5
2d6ea9e8106278b299ece496d6e877b8

SHA1
25d368ece096272dbeaa2ae7b3c30cdb7867453f

SHA256
8b58b2386536c1d012fff08043af9d9187abcf3ed3498a3e5b646b8b0210955a

SHA512
dcd1074b3360481c4e21282ea48f4f6a2c14d42c004c9c4a7a42349727b708792622187a1fc8e3a1ce32ea673108cc55e83235ffa8a20529352a7cc5e7ab52fc

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
3e0f63ae880cceb0d881b1033add90fa

SHA1
2db72f0c52d00a35f915b55d7476d7f85ca044d7

SHA256
a1f393eca29ed8cd58e6f41ba4c805a71ee210f67a643570225633f35a88e946

SHA512
2fe790a8ca0f6f4cacf558966d59c8dd42bf339e1517bd0985bee63bf55cd99ce8422f7ffeda9c262e0aa988d6c3e9f324e85965e33ae90e88b636fca8df9396

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
89KB

MD5
b7f695b9e4fb2505b1b952134f6e7b58

SHA1
e302b91f53f1117116fa64d657c3ce8f1ab7a5f1

SHA256
fb502a0c892180afb0fc99768a8ecf88c13e7e7c46dc0a75db18d31e28af5388

SHA512
e15d18f819e31d98d7ad6286462cfc832c0ffc17e1a7db7f95094beb315461c9187e79703028c404fa3e3b9d910fed15711c8d88b773ba9f5c9bd3ab1d29bd3c

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
89KB

MD5
42253a81a8dc042aa03114625691f45a

SHA1
f981867402c80073ed8c484ababcebf60b2d13fd

SHA256
e12f5723c17ba5b578d8e76fe51c9748d3f2dcc854b7cfca17f9fdf7fe7c57fd

SHA512
333bb11872a11732193a5bb644a31dfbb992f9e4a5c50aea8e07e048fcf6e49af9f9acfc315aa2323d05d2b3efc784568c226cb0c0f1250c7ca7b8324b447901

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
89KB

MD5
08f65276501aa463443e365d32fb694a

SHA1
fb2885f17ac26028a4c81979bfe73cc9d48f9677

SHA256
98f294a06c331bf393e5a09157b873050d99b47ab0d67b6753bc0c73aa1bc879

SHA512
899ead2614ce392db41076366fd1489156102ac6798c4fa657bce6342701782e988910d65a586cdd5968f654cb47d4426b6f970b10a81c079d81601f0e56f794

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
89KB

MD5
f1fb15356f0a6a54508d534fb665b34f

SHA1
0f4fc8648db1ed9312a12f8f4e8afc3201ab5682

SHA256
2ad3889369a816f2f6d9bb05b392455c006d333f9ae650293f494f3f0e9e0bd0

SHA512
881f0ec83cc5d2684b329778bd4dce8fc2248dd5afcf501e07e222fb9641b5d34449024bbadc99cfa6147a273a24a3071bebdf4a532e70cfe6e82bf612cf6a07

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
89KB

MD5
4cc8b23077ad996ced2a46639688c871

SHA1
c41e9e6e549a48cfae23d15c6c9f79f7e10ea82a

SHA256
4ebdec7ed79ff0a507011710c1d085c37483f6f1775530ee1e7c80ab66e9c577

SHA512
fa4051f2721622aacf8b0c132b77df7f7fc5f4a8b28357a4eff790b875ade16d3ab5ba996392624460b08c998abd2c4638252e7a1615dd127e6f02221a129f12

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
f3d4b2ef6dde1d27366dfcd30294ed96

SHA1
6bcec0a2533c7171241bb0b888c0dd1916028799

SHA256
12d2d730406e728d5d37e8506b5871cbab1ff95cb02739b88213a954c3824d5a

SHA512
6d0397fc80b1ef22b65075b142959f8f70a4a6a7e2e9aaf01b89bcd609dd0a9cc1cf9b8e74fcbe0cd96ce4243768480cabe1ef29d213034b3af4d6e9eae8b544

Download Submit
C:\Windows\SysWOW64\Fqjamcpe.dll

Filesize
7KB

MD5
ccad7743fee9e5af0107c79167ae03cf

SHA1
b04f491b82e9e1ea4cf59abd4685f6835c5c2d74

SHA256
003de7bdbe3ea8a0339b5c5d7af6087d665f4dba015117fdf09bbff9adbefaaa

SHA512
1500dd64e5285e12e07bc908c256e9003fd1fa467b9aed90f0c56ab7f12207e28145a03d2dd06dcb7180dae4c42b46e303c8339da1dea19f3fa7f8bc2144f4ab

Download Submit
memory/1100-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4140-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4140-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads