bb3954fc12a07bf40af7e3849a814d15c2df5d889d61e55c33fb1d1aae7c11d3

Analysis

max time kernel
95s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b590f6527582b0b25e2b25cba38054a0N.exe
Size

359KB
MD5

b590f6527582b0b25e2b25cba38054a0
SHA1

f5868d861dad510211e61cccae4f94bdae00e8cc
SHA256

bb3954fc12a07bf40af7e3849a814d15c2df5d889d61e55c33fb1d1aae7c11d3
SHA512

f35dca5eb5927b7f0be17f8055fba943585c08ef9c5d42e5d8d5501181818a001752c7a01d19236d304a20507500b3c7c2d07f56dadd38f97b3d5982a4512e75
SSDEEP

6144:IFa+533HNUaCL4YVrOigcC6oQ6+EcC6oQ6+YahBQyiTACPTRN6+YahBQyiTAgiuf:uN3HiK9E6n9E6vah6yiMCPTRN6vah6y2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b590f6527582b0b25e2b25cba38054a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b590f6527582b0b25e2b25cba38054a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 34 IoCs

pid	Process
3048	Cfdhkhjj.exe
3540	Ceehho32.exe
3756	Chcddk32.exe
4800	Dhfajjoj.exe
2684	Dfiafg32.exe
2224	Dopigd32.exe
5072	Danecp32.exe
2520	Dejacond.exe
1476	Ddmaok32.exe
532	Dhhnpjmh.exe
1788	Dfknkg32.exe
4776	Djgjlelk.exe
528	Dobfld32.exe
4700	Daqbip32.exe
3952	Delnin32.exe
2472	Ddonekbl.exe
1508	Dhkjej32.exe
3312	Dfnjafap.exe
4108	Dkifae32.exe
208	Dodbbdbb.exe
2552	Dmgbnq32.exe
872	Daconoae.exe
5084	Ddakjkqi.exe
2940	Dhmgki32.exe
5064	Dfpgffpm.exe
3884	Dkkcge32.exe
4576	Dogogcpo.exe
4692	Dmjocp32.exe
4308	Daekdooc.exe
5112	Deagdn32.exe
4380	Dddhpjof.exe
2396	Dhocqigp.exe
2788	Doilmc32.exe
3772	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	b590f6527582b0b25e2b25cba38054a0N.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	b590f6527582b0b25e2b25cba38054a0N.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process
1068	3772	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b590f6527582b0b25e2b25cba38054a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	b590f6527582b0b25e2b25cba38054a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b590f6527582b0b25e2b25cba38054a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b590f6527582b0b25e2b25cba38054a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3048	4896	b590f6527582b0b25e2b25cba38054a0N.exe	85
PID 4896 wrote to memory of 3048	4896	b590f6527582b0b25e2b25cba38054a0N.exe	85
PID 4896 wrote to memory of 3048	4896	b590f6527582b0b25e2b25cba38054a0N.exe	85
PID 3048 wrote to memory of 3540	3048	Cfdhkhjj.exe	87
PID 3048 wrote to memory of 3540	3048	Cfdhkhjj.exe	87
PID 3048 wrote to memory of 3540	3048	Cfdhkhjj.exe	87
PID 3540 wrote to memory of 3756	3540	Ceehho32.exe	88
PID 3540 wrote to memory of 3756	3540	Ceehho32.exe	88
PID 3540 wrote to memory of 3756	3540	Ceehho32.exe	88
PID 3756 wrote to memory of 4800	3756	Chcddk32.exe	89
PID 3756 wrote to memory of 4800	3756	Chcddk32.exe	89
PID 3756 wrote to memory of 4800	3756	Chcddk32.exe	89
PID 4800 wrote to memory of 2684	4800	Dhfajjoj.exe	90
PID 4800 wrote to memory of 2684	4800	Dhfajjoj.exe	90
PID 4800 wrote to memory of 2684	4800	Dhfajjoj.exe	90
PID 2684 wrote to memory of 2224	2684	Dfiafg32.exe	91
PID 2684 wrote to memory of 2224	2684	Dfiafg32.exe	91
PID 2684 wrote to memory of 2224	2684	Dfiafg32.exe	91
PID 2224 wrote to memory of 5072	2224	Dopigd32.exe	92
PID 2224 wrote to memory of 5072	2224	Dopigd32.exe	92
PID 2224 wrote to memory of 5072	2224	Dopigd32.exe	92
PID 5072 wrote to memory of 2520	5072	Danecp32.exe	93
PID 5072 wrote to memory of 2520	5072	Danecp32.exe	93
PID 5072 wrote to memory of 2520	5072	Danecp32.exe	93
PID 2520 wrote to memory of 1476	2520	Dejacond.exe	94
PID 2520 wrote to memory of 1476	2520	Dejacond.exe	94
PID 2520 wrote to memory of 1476	2520	Dejacond.exe	94
PID 1476 wrote to memory of 532	1476	Ddmaok32.exe	95
PID 1476 wrote to memory of 532	1476	Ddmaok32.exe	95
PID 1476 wrote to memory of 532	1476	Ddmaok32.exe	95
PID 532 wrote to memory of 1788	532	Dhhnpjmh.exe	96
PID 532 wrote to memory of 1788	532	Dhhnpjmh.exe	96
PID 532 wrote to memory of 1788	532	Dhhnpjmh.exe	96
PID 1788 wrote to memory of 4776	1788	Dfknkg32.exe	97
PID 1788 wrote to memory of 4776	1788	Dfknkg32.exe	97
PID 1788 wrote to memory of 4776	1788	Dfknkg32.exe	97
PID 4776 wrote to memory of 528	4776	Djgjlelk.exe	98
PID 4776 wrote to memory of 528	4776	Djgjlelk.exe	98
PID 4776 wrote to memory of 528	4776	Djgjlelk.exe	98
PID 528 wrote to memory of 4700	528	Dobfld32.exe	99
PID 528 wrote to memory of 4700	528	Dobfld32.exe	99
PID 528 wrote to memory of 4700	528	Dobfld32.exe	99
PID 4700 wrote to memory of 3952	4700	Daqbip32.exe	100
PID 4700 wrote to memory of 3952	4700	Daqbip32.exe	100
PID 4700 wrote to memory of 3952	4700	Daqbip32.exe	100
PID 3952 wrote to memory of 2472	3952	Delnin32.exe	101
PID 3952 wrote to memory of 2472	3952	Delnin32.exe	101
PID 3952 wrote to memory of 2472	3952	Delnin32.exe	101
PID 2472 wrote to memory of 1508	2472	Ddonekbl.exe	102
PID 2472 wrote to memory of 1508	2472	Ddonekbl.exe	102
PID 2472 wrote to memory of 1508	2472	Ddonekbl.exe	102
PID 1508 wrote to memory of 3312	1508	Dhkjej32.exe	103
PID 1508 wrote to memory of 3312	1508	Dhkjej32.exe	103
PID 1508 wrote to memory of 3312	1508	Dhkjej32.exe	103
PID 3312 wrote to memory of 4108	3312	Dfnjafap.exe	104
PID 3312 wrote to memory of 4108	3312	Dfnjafap.exe	104
PID 3312 wrote to memory of 4108	3312	Dfnjafap.exe	104
PID 4108 wrote to memory of 208	4108	Dkifae32.exe	105
PID 4108 wrote to memory of 208	4108	Dkifae32.exe	105
PID 4108 wrote to memory of 208	4108	Dkifae32.exe	105
PID 208 wrote to memory of 2552	208	Dodbbdbb.exe	106
PID 208 wrote to memory of 2552	208	Dodbbdbb.exe	106
PID 208 wrote to memory of 2552	208	Dodbbdbb.exe	106
PID 2552 wrote to memory of 872	2552	Dmgbnq32.exe	107

C:\Users\Admin\AppData\Local\Temp\b590f6527582b0b25e2b25cba38054a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b590f6527582b0b25e2b25cba38054a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\Cfdhkhjj.exe
  C:\Windows\system32\Cfdhkhjj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\Ceehho32.exe
    C:\Windows\system32\Ceehho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Chcddk32.exe
      C:\Windows\system32\Chcddk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 408
        36⤵
        Program crash
        
        PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3772 -ip 3772
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
359KB

MD5
184d3167bc18b737196da85be9f6c29f

SHA1
a7fd84134c8a20100bfe41c769481c7c5246ca71

SHA256
827816a29f396148441f08d724db5d17896eea95a4064357f7ee57cfc9e52b37

SHA512
d71815b60fa308c06d54855dfed2a18e64b1dfb2a54992327ed463be4dc691bb9afa4b25439bce3197043665cdbe4264fa5737a802994f94033e763611500355

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
359KB

MD5
11e2ee449d6b37bd26f0b84f31a8cced

SHA1
266557b04c19752cf867f70cb7122fa44f5b63cb

SHA256
6e82002abfa945ceef7351a62593d93402e3d3fa197cef126f5540ebcbc7e252

SHA512
83b4189f7b1539d945353166d264e5220a3b1f647885aa1f5bddca29468e620e6e4d51939e60fcae728a895c167afe35d2b13410fa2b7aab89a0f92beca2c515

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
359KB

MD5
94960a14a58d476f9e102b4fd6716336

SHA1
cabd7feee51f4c37c5af78ffbfbcfded96a32472

SHA256
2fd4ad3e2911c2f085527de5c3ae098119651a5080b494af399e84d59e784e03

SHA512
095b80cc24519dcd99469d1f6f7000c40249af90a367ac36997124fcf40b4f60c4b80ccdd07c9de8c0e71523cb659d10bbdcb525e4a95d4857c90cc0082ca85a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
359KB

MD5
642c22f4512430810d60fe15682f6446

SHA1
b3e249e377297b910ec448d66089e17bb5aa3b09

SHA256
ee131ca91ea7d370710363506eb16e4bd4f68a4530bb2cbf2272e4fca51e139f

SHA512
e303877dd93b8f8599ad0c98531cd25dabed64f4dad6300e598b6cf4d524638ea518e9579b0e71f3db2b3575bb07b757b8a88d7e2b0735754069ae57ea70dba1

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
359KB

MD5
79a20b3edd8cf321b7a4f58f2fd1f795

SHA1
8541403b7aca5dfa2e80f2a159ba6776c45d569e

SHA256
6cfaee1e55a50c61c6ed8fba3d940af643fcb3ccdc6c5ac77435d232c7638f99

SHA512
a6343c4ecfbcc8a64911ebed66b420e81f8c7039636b6ad6ddd7bc0d423adcfe0c9fa4aeb5f19fc6cceedadf76a39b560fc9dc69c5a3cd9028a207e437094d2c

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
359KB

MD5
ade0e717f38a50e26c89fd07bd1e02ed

SHA1
2df56c717d08876b56ff3de403e44bbaed8cadc8

SHA256
bfa0f865a8dd6e893366b99500d81446e5132f3305997a4460fc8d330440100d

SHA512
7b83654d965e563542964fdc156b4ff798947b1bad9f4f789448cedfc6f93243d154c4f14377ebb92f4a15f515abb379d9a7cd1f542aac476a68e34c3081a837

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
359KB

MD5
ea6af4d51f585c78c30b3c2f8fd98d1c

SHA1
d29b68749a52db8ac6b06cfd5cf2f105a7e2125b

SHA256
c4652573f32c98de0bd56ca71e4f4a245e6f8a54eca044f4865609956597a31a

SHA512
44973532da2eaca69a7edcc9c31c633e7f277afe364fea7b984108043ae34cc69daecedce4dd338ee8436acf40eaea37fa547e2d92dc9cefdc3ca74e635073bb

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
359KB

MD5
9f392cf2d2d2a4a0a0dc4f0689e95229

SHA1
cee2d1f241bd760f131945857327826eb6d78c23

SHA256
bec48934f318fe5479d220ab55f31fad7a7ca56d2fc6d159a1290c333411b1cd

SHA512
a09904d4e2da13eacec4d91c6fb3a055c71719532831226bc3ddf2575a0c4dd68420b2c718571fc6444fc65459ae5bf8e49ffa8ba571a3885acc9a86c678cea6

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
359KB

MD5
a59b7ee511fb95e56bcc4823da97e014

SHA1
11052aedc215d3a1cb019a251ed940b6847af777

SHA256
1529fa38f79fe0ada5ac8eb5bc87a0736b2e17acae980ab62d11a33996af764f

SHA512
7704a8a93d749773d15ccf719da044ef50524f8eadd2cfc7238d7f7d013e9d6162397d22c836136bb8d4a6847ce943a35be3e65da776c0f42c4e46c1fc6e11dc

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
359KB

MD5
7a39df36003de24d7f09863477e180bb

SHA1
cbd7008b69688327f2a50584c939d68bbb8d177a

SHA256
81c1313e4ea5763beb657eb84304ceb4344756e42e82f68cbbe719cfb3642988

SHA512
061c245293eca94a21c2acc0f293a538cf3c8bdb9fb450997c9bf733bfdbf02266ca01e18936fbdc52af74f71260c8571c2a75fd5486ee6a3115d69ecd962a15

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
359KB

MD5
e45408e31836b9a832b54760353d4763

SHA1
27a89503fbb00e1feba0723466dee46b0bd84b94

SHA256
388b673b6b8af240d3fd4ae2e682e19eec198b003b042eaa8ca1b10e4fbd0f36

SHA512
516af3351a3135c4d71cae5be8f98259d76b7581691c07938e3cf724929e67ad3ead903c8d43f1cff95e8d78c64cca7adb353a4e098c56f774a5886c5c541e7c

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
359KB

MD5
19f40fa563b9f2170a91ca3108c0cd22

SHA1
f300fe7e5775b590c270d5a93c8280b4c0445fae

SHA256
cc2714eb14819bebee0b41046dabf0bce6b01a4547b207a06e83bd3af4cb1417

SHA512
7a7c795a4a9f2745a35ec1ba4d72d82a73d0a8227ef203a75cba8f2fd8ccf140a9f2402ace5f8631fb21874fd94e64423da388d45df7fa93754d745298e47e05

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
359KB

MD5
0177f55e72677e1d992c9019f383cde0

SHA1
4998ca6e502529e1194404ccd96bc8b31bc70616

SHA256
6070111838ddd991a31e99ea021a22ee283ce295c55470b8ecf3a129a3c9550f

SHA512
d6fc0916afad9439ec097c59448da104c3c705d1cd7ecc097aa2f4c1fe92514ce87d709280889a91be2349e9f77acd0e6eda55cc28a9541acb20619a4e2cc347

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
359KB

MD5
37afcb1922a4e867108dac78d968c263

SHA1
8f9b33165ac95c27e133e7e0cbf682a8860a5725

SHA256
1a1b2bd0fe3cc7bd3e51a027eeb857621c947eef01e256044c0a65886edfced2

SHA512
b75063f82d359c43a03076a0bbc09bbac1f35cc454ef251a535155da803c4e2d50fc133df5baefcf492e507d56931cef0c4145800a6b4b3124234a94c629568e

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
359KB

MD5
727f46fe13570f4aedefeeaeb496965b

SHA1
a88b8a6bcbcfb751834978309922598e39d139d3

SHA256
260bcff1db9b8278aab1067fe5ea72b83cb21c08ac08d43d33218dd3399a2164

SHA512
c01433fa08a3ae36f9e58b878a43f393003a65f011c867402147831cefa6133f0097baa1fd5b4eb51b50e7f8f6cf7e70b47899e2f9890a1ce65aee644b1184c9

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
359KB

MD5
d18141d633879d4cf04730cb64f10963

SHA1
7f44cd4bafe6f9ba3224cf015be753bd1d189e41

SHA256
4b3882196d9ad4f4dbbc2669b988cace8e20d62fcb9e234afc5992d27861b8e8

SHA512
5b6e61ad74cbef3d0d8f8781df30d5059107b0344dedb11e5961b592e6eb655b0e7bc9012c3ddb3290bb22a979d93c52d9ada01e35eba814d611d248805e6e0f

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
359KB

MD5
355656da8bf00e277dc7025ce8be7135

SHA1
5702242095a83a42445a21209d2fcd6752a48575

SHA256
63a285b3e0cacd045cf9e52bad488fd401ea4755b4e1fc30a55c70b4a6a63ddf

SHA512
c40d4bab4021062d3aca07f8d60e685c94df53f94cf3cfc6b9b7e5f6ceb87fa3b3fa6a38fbff58eed7863c40462d2b3425d071d1bc50e019005ad376da3400b9

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
359KB

MD5
310f9062b3ea3bb56f587d84cca93e0d

SHA1
51795be5e63d970bb24e300b2c884a08534583a3

SHA256
1a6b5eb68f4042f7873656fe2b62abd468d77dc2a7b072ceda835ad11face00b

SHA512
cb60189daecd241087000e07a99a004c5c07da277f56d6de65ccafb3fdd26a6ecf94bb027ae506c8f4776b1f423635255ce58b49425451be8d80061c8bbf59d6

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
359KB

MD5
5b02b495d7ce821a956da04f34c7b176

SHA1
d9f82c94e1bbaf99d99d7311aaffcccee8d1cdc0

SHA256
8e23a0a2539669208ad10f15220c92d8f20f40271b216e7f1758eb0407f7eff5

SHA512
5bba246cc611677edaf386de0b074b449f01eed9fcc5ff9e125849c6bcb007d3f86614fb95b04c538de82953206c4b562e7e66cdec9acbe546c41a300a4a66a8

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
359KB

MD5
a9a21657e773498e347b9233d01722a0

SHA1
bf83fba2f8dd7b6540e560a12c10e8fb0b37300c

SHA256
dc6e4516a4dbb1152b4b6ffe528e31ef6dd554f25fe882776dc7423a008c3743

SHA512
211a70c5330a4d4173d97ee4e8ff4620a756e0e7cb7390487a0a3901d94d1299c5e82e8a24c3588b9825a9f88caca07d80186bf9f573008d94ea64509ccf76d7

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
359KB

MD5
d0cf4d5e3072a77a20dafb70ed42b38d

SHA1
51b52017249e4fb03a29104a39cbf93dbaaf5e20

SHA256
a66e61d0de9bee546ad45951608e2b9dd7615ad068cb2199abaa949fd6429d99

SHA512
578cbb946635554a7047d172b23d9baf7272dda9e48af47b49bb5ac3bcf65a67af9adcc653542afe3c5668b10d8dde7fd25899adc07a511ef30d92614a71250c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
359KB

MD5
2937c210e8a5713d36dab681e39c0360

SHA1
8b2c398a2cbf87a4d6310d311cbe6fd3de7ea02c

SHA256
728604c04d5ee3dfdab0d69dbed53e9d3e51ed0279fc4c8b0b6d39ae65f030d9

SHA512
403be38f9a16784b0c7bd6fffc4bfecee30882af0abae6a64ffcdd4958d9e87ec230e73a8ce5f9cc12a13a4677b499b3555de139c9b290a79a3f5c9ee0c37281

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
359KB

MD5
fe58092e1422175ffbb5ec8764848917

SHA1
35454cb36d18da11d675255f86d85a259d4e3a76

SHA256
a8454cfd36f7bb4360be83f651b7603533f5b6c676cedc6afb223391bf359d2f

SHA512
6470d71e70394695637aec173dc234f54808c81ed110142dac53a48d0b88ce2ba50836a9a35fe35388ddf1e72314ed081f16f25d59d061bceb50e571198b1bbd

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
359KB

MD5
53b8cbe8bd5c6ba640c40f92d1b313c4

SHA1
df5c52a0af896d7afad1244c6b26c101bd3de1c2

SHA256
fa8b45b39a4dfdba140a22571365b1f507388326399ce52f9d35e81046560472

SHA512
f33f9b7845a535135ffd7a5e17c982626d1cd41d5479d5f01790c67d14bbac84db888358c8e81418e8a73c32ae409def65c7714cd7964bab27230dd61216ceb3

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
359KB

MD5
a79e2386c52627195f7e2de4a055476a

SHA1
6f57bc79eb72cedf032a55e141755eeffee9b362

SHA256
23f7329d7319c94778fee712d5c4c117ea0657c0615494dd99cfd035dcf19403

SHA512
ff8f2367ffd8a67d77bcfeb3ec057c2a3991b93678584be2a2d58488854e54bb7f8e6612217685ae165f6088e7aca91bf7c32fb3a54b005e3eb3f52b75afd227

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
359KB

MD5
ed577d664e641ad2f18314824d116146

SHA1
6c1661498fc6c2b0e08d206b6928ade039429ca7

SHA256
8f6595144288f26cec1b4adbce167ba381b2afed594ac939e6ffc3767ef7aa0f

SHA512
2f1eb9deca0b090e98051225b7770a555757e8e37b05042d3cc6e48159d41331d36113d94b4a6c550997a8e72fab0184e14fb4efbd0e5c0c1db5ea7d3f672c66

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
359KB

MD5
92ed20a0dc8ef605619bb77c2be7240b

SHA1
9c82ae5998fa5d73dbe177c1bf1777254616997f

SHA256
4a88b9a90924af25f50f4ea7f4161588d63aa6c5255d242dc7d472b184029f42

SHA512
2bcf6ca2798bfd2d20283aa080290b7bdb4b17c266d48eafa870cb34905f4dcd0d229a090591a3f8b50447689c477e7f267975b5bce4552b9614865206423c24

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
359KB

MD5
06e0db61870db523dc575f80cfaaf500

SHA1
921c16a89afbfb4e6935e9f6c2a3f8ce9d2f0dfe

SHA256
d4c7542c325dd01392d72da2578e0bbbb1054ccb29e7877ef156386dd65f5c14

SHA512
73e417c224ca59ac396bcf4fdd9c31f858286797708bc6792faef5f024cf516f194f2b4233e71ff32f8065ebf8bff6d10979eb79a2d4f2f91c9ab5049bf182fc

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
359KB

MD5
eba5ca0ec3cadb6bd7ad177cbabad03f

SHA1
b7c46319eb7405e78bf6ca59caca35bee7f9cf98

SHA256
2c5f7b0fcb0bab1dcf7114b8b765dab5207f276b1c8b24de397ae1f56dffcc6c

SHA512
4afee9f2ab34f7f02e64745c80e40f6c06c6a1e72ad394f64e3025e09f30e99970cbf2c72c645f4c7b5745902081620af58fbdaf81af08aae672cd0ddba4d54a

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
359KB

MD5
5134d052ee33f421d16af72661a02665

SHA1
99cb43436232ce2a6f36d2a0c92841d55aa39fb7

SHA256
52f81b4011a3248a381d78fd914b13e280313053ad234b4461a0605dbaea68ce

SHA512
3161275d0601f7882d032c5a171dfeaea0b71ce8cebdaae8fffbfa4437b330f31cb5ef8e6e92445f3bd4876aa6402e0688d143d6359e28c4c41ac814f7623f61

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
359KB

MD5
b90602383203a5cf9be15265df002b0e

SHA1
81d900046fa9d21b35bdec5605efa87b1836e863

SHA256
a6a75bcf682a8f4f5071cd6f40a511cff3dea16e09bd6b204e6815c471c2e21d

SHA512
766d39374041a101a13622bda07e2615be54d8cf8078b08c1c47385827a94d70608fb2027da8c0b27df9aeb14569cb4d3e9efdd2f3b57c78e9d072d72f288279

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
359KB

MD5
5e8e832db84586bd2df5489254f6894c

SHA1
8e76a2c273c347bd8d43db3b7ba1ef24b03a378a

SHA256
42b783992168b9ab2bda17038d6bf8bc2ca668b43afcfc78386c9736ee4a5212

SHA512
36921c25327267f3d11de4005d6932ae75b5464dc4ada8f5e6ae817eab29dc346ed2290a6bf9e337949e71d6c1b0133086a33a43f113a7c74a03ffa2e328eac2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
359KB

MD5
a202e075c3b2fa4c3d5527172e46d350

SHA1
e10fabb39a00eadb2e6526f36bbf2713692346a4

SHA256
f5cde97c151743e2fdddf26fb6e8da173ab0b5a3f7a901c47676405fb0a51fa0

SHA512
4f91e0305d2bca4c49cbcff498647beff56605d574c1c383a58420e4a5356825be5d1cc1fe1696a0cfa0ee5831f2a5214248ce09983d55e4f7b6ee2d9aa70371

Download Submit
C:\Windows\SysWOW64\Kkmjgool.dll

Filesize
7KB

MD5
8b48fb17ffca4a2ba8293213fce07d48

SHA1
dab8c9fa9f6371fd267e02f6d7a9564e5f7a8536

SHA256
f5cc2cb90ed5fa2f0692adbb29c3b13fa2a06f46ee8eb5ffb95737f3bcb015a8

SHA512
cc3525b0341fab55a12142ce23510d0d69c93a367b3929d53dcbf1411efcc6ff5c42fa18837adc4363babb68fb0d54ad27ecaedb4f9c4c20835739304ed3f309

Download Submit
memory/208-254-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/208-290-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/528-304-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/528-247-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/532-310-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/532-244-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/872-286-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1476-312-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1476-243-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-251-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-296-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1788-245-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1788-308-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2224-240-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2224-318-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2396-266-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2396-258-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2472-298-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2472-250-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2520-242-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2520-314-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2552-288-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2684-320-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2684-44-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2788-259-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2788-265-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2940-281-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3048-328-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3048-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3312-252-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3312-294-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3540-326-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3540-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3756-324-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3756-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3772-260-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3772-262-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3884-278-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3952-300-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3952-249-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4108-253-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4108-292-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4308-255-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4308-274-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4380-257-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4380-268-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4576-276-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4692-273-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4700-302-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4700-248-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4776-246-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4776-306-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4800-31-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4800-322-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4896-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4896-330-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5064-283-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5072-241-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5072-316-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5084-284-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5112-270-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5112-256-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads