7b9cdddc194684d41471d7e3909f64c2fe1b2f87d0fdbfccc6313c9b74c0dcb3

Analysis

max time kernel
91s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9e7a790be8f0195f7032e7b1f53ff10N.exe
Size

512KB
MD5

b9e7a790be8f0195f7032e7b1f53ff10
SHA1

d60147125f8b45c161e0637ab8b0cc895c5a17af
SHA256

7b9cdddc194684d41471d7e3909f64c2fe1b2f87d0fdbfccc6313c9b74c0dcb3
SHA512

47de9aaa9ce10b196ffa3af5a9a38149b95a840736c7a0d30fd6adb07f1ce351c504138c62ae875a2f3b3711f6298e0d8297167d064b077b358902d7ef58ef72
SSDEEP

6144:bCIuMOq24853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:bVuMHZQBpnchWcZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b9e7a790be8f0195f7032e7b1f53ff10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b9e7a790be8f0195f7032e7b1f53ff10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe

Executes dropped EXE 31 IoCs

pid	Process
4980	Cjmgfgdf.exe
3080	Cfdhkhjj.exe
2272	Ceehho32.exe
408	Cjbpaf32.exe
376	Cegdnopg.exe
3704	Dfiafg32.exe
684	Dmcibama.exe
4152	Danecp32.exe
1984	Ddmaok32.exe
2984	Dfknkg32.exe
2024	Djgjlelk.exe
1644	Dobfld32.exe
4808	Daqbip32.exe
3184	Delnin32.exe
2916	Ddonekbl.exe
2164	Dfnjafap.exe
2868	Dkifae32.exe
2832	Dmgbnq32.exe
2424	Daconoae.exe
3208	Deokon32.exe
2156	Ddakjkqi.exe
2720	Dfpgffpm.exe
4160	Dkkcge32.exe
1440	Dmjocp32.exe
3136	Daekdooc.exe
1624	Deagdn32.exe
4148	Dddhpjof.exe
3920	Dgbdlf32.exe
4712	Dknpmdfc.exe
912	Doilmc32.exe
456	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	b9e7a790be8f0195f7032e7b1f53ff10N.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	b9e7a790be8f0195f7032e7b1f53ff10N.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe

Program crash 1 IoCs

pid	pid_target	Process
1236	456	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9e7a790be8f0195f7032e7b1f53ff10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b9e7a790be8f0195f7032e7b1f53ff10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b9e7a790be8f0195f7032e7b1f53ff10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b9e7a790be8f0195f7032e7b1f53ff10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b9e7a790be8f0195f7032e7b1f53ff10N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 4980	4140	b9e7a790be8f0195f7032e7b1f53ff10N.exe	84
PID 4140 wrote to memory of 4980	4140	b9e7a790be8f0195f7032e7b1f53ff10N.exe	84
PID 4140 wrote to memory of 4980	4140	b9e7a790be8f0195f7032e7b1f53ff10N.exe	84
PID 4980 wrote to memory of 3080	4980	Cjmgfgdf.exe	86
PID 4980 wrote to memory of 3080	4980	Cjmgfgdf.exe	86
PID 4980 wrote to memory of 3080	4980	Cjmgfgdf.exe	86
PID 3080 wrote to memory of 2272	3080	Cfdhkhjj.exe	87
PID 3080 wrote to memory of 2272	3080	Cfdhkhjj.exe	87
PID 3080 wrote to memory of 2272	3080	Cfdhkhjj.exe	87
PID 2272 wrote to memory of 408	2272	Ceehho32.exe	89
PID 2272 wrote to memory of 408	2272	Ceehho32.exe	89
PID 2272 wrote to memory of 408	2272	Ceehho32.exe	89
PID 408 wrote to memory of 376	408	Cjbpaf32.exe	90
PID 408 wrote to memory of 376	408	Cjbpaf32.exe	90
PID 408 wrote to memory of 376	408	Cjbpaf32.exe	90
PID 376 wrote to memory of 3704	376	Cegdnopg.exe	91
PID 376 wrote to memory of 3704	376	Cegdnopg.exe	91
PID 376 wrote to memory of 3704	376	Cegdnopg.exe	91
PID 3704 wrote to memory of 684	3704	Dfiafg32.exe	92
PID 3704 wrote to memory of 684	3704	Dfiafg32.exe	92
PID 3704 wrote to memory of 684	3704	Dfiafg32.exe	92
PID 684 wrote to memory of 4152	684	Dmcibama.exe	93
PID 684 wrote to memory of 4152	684	Dmcibama.exe	93
PID 684 wrote to memory of 4152	684	Dmcibama.exe	93
PID 4152 wrote to memory of 1984	4152	Danecp32.exe	94
PID 4152 wrote to memory of 1984	4152	Danecp32.exe	94
PID 4152 wrote to memory of 1984	4152	Danecp32.exe	94
PID 1984 wrote to memory of 2984	1984	Ddmaok32.exe	95
PID 1984 wrote to memory of 2984	1984	Ddmaok32.exe	95
PID 1984 wrote to memory of 2984	1984	Ddmaok32.exe	95
PID 2984 wrote to memory of 2024	2984	Dfknkg32.exe	96
PID 2984 wrote to memory of 2024	2984	Dfknkg32.exe	96
PID 2984 wrote to memory of 2024	2984	Dfknkg32.exe	96
PID 2024 wrote to memory of 1644	2024	Djgjlelk.exe	97
PID 2024 wrote to memory of 1644	2024	Djgjlelk.exe	97
PID 2024 wrote to memory of 1644	2024	Djgjlelk.exe	97
PID 1644 wrote to memory of 4808	1644	Dobfld32.exe	98
PID 1644 wrote to memory of 4808	1644	Dobfld32.exe	98
PID 1644 wrote to memory of 4808	1644	Dobfld32.exe	98
PID 4808 wrote to memory of 3184	4808	Daqbip32.exe	99
PID 4808 wrote to memory of 3184	4808	Daqbip32.exe	99
PID 4808 wrote to memory of 3184	4808	Daqbip32.exe	99
PID 3184 wrote to memory of 2916	3184	Delnin32.exe	100
PID 3184 wrote to memory of 2916	3184	Delnin32.exe	100
PID 3184 wrote to memory of 2916	3184	Delnin32.exe	100
PID 2916 wrote to memory of 2164	2916	Ddonekbl.exe	101
PID 2916 wrote to memory of 2164	2916	Ddonekbl.exe	101
PID 2916 wrote to memory of 2164	2916	Ddonekbl.exe	101
PID 2164 wrote to memory of 2868	2164	Dfnjafap.exe	102
PID 2164 wrote to memory of 2868	2164	Dfnjafap.exe	102
PID 2164 wrote to memory of 2868	2164	Dfnjafap.exe	102
PID 2868 wrote to memory of 2832	2868	Dkifae32.exe	103
PID 2868 wrote to memory of 2832	2868	Dkifae32.exe	103
PID 2868 wrote to memory of 2832	2868	Dkifae32.exe	103
PID 2832 wrote to memory of 2424	2832	Dmgbnq32.exe	104
PID 2832 wrote to memory of 2424	2832	Dmgbnq32.exe	104
PID 2832 wrote to memory of 2424	2832	Dmgbnq32.exe	104
PID 2424 wrote to memory of 3208	2424	Daconoae.exe	105
PID 2424 wrote to memory of 3208	2424	Daconoae.exe	105
PID 2424 wrote to memory of 3208	2424	Daconoae.exe	105
PID 3208 wrote to memory of 2156	3208	Deokon32.exe	106
PID 3208 wrote to memory of 2156	3208	Deokon32.exe	106
PID 3208 wrote to memory of 2156	3208	Deokon32.exe	106
PID 2156 wrote to memory of 2720	2156	Ddakjkqi.exe	107

C:\Users\Admin\AppData\Local\Temp\b9e7a790be8f0195f7032e7b1f53ff10N.exe
"C:\Users\Admin\AppData\Local\Temp\b9e7a790be8f0195f7032e7b1f53ff10N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\Cjmgfgdf.exe
  C:\Windows\system32\Cjmgfgdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\Cfdhkhjj.exe
    C:\Windows\system32\Cfdhkhjj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\Ceehho32.exe
      C:\Windows\system32\Ceehho32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 396
        33⤵
        Program crash
        
        PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 456 -ip 456
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
512KB

MD5
4700f05de238be08af86d7e46f599449

SHA1
717e2ee19cfd9f16f4e7b9acad4130c36399d9fb

SHA256
df93104801684f6d0a4d558df096622486e0cd4886e7f235511ad47acbb01bb9

SHA512
bfed95e97d4281469cc57423bcdbd5607f7e209ff9b9ad26ef46f61c8b0019b8ac40749dbda0b3fd775a792ed501390ce098ce61bdc737c3bc7d450610d35445

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
512KB

MD5
0dfcac16fa6b0b00c678840df99a16fc

SHA1
94056e78c3548cd594517389f979cc134960a824

SHA256
3d3ad0fb6ebde9afc6e4cb1dbfa0b6db2ca7d780fc266378e52761ede7314479

SHA512
ec0a36aab5177b81f6dacb0def10168b4e80c428972348d669ceb6d5a1b3f464a695ff98a0cb65038f829b2ddd4dbc92222bde5023d116adc5acd52a8c1bb720

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
512KB

MD5
c858d5275296d8d730a99c7007169208

SHA1
5cbcb0edd0384bb408b3bdbf7f8552c95b62265f

SHA256
b46b3d008f09e7b3be613e7daadf3a2d5cf89efb2c3a48585172ce5a97f60741

SHA512
ebbce8031f4356fbb83d2e7d2c66a2ec5d946a5d558f5a82fddab22e9137e9de12910f7f7da0ae7089ee609812c070b8c45a303d0fc91ea7184fdf8bc41ab605

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
512KB

MD5
f7a248b353a8f5234aec98f89b51f391

SHA1
babcc329925cb4de7f05328ca178629a6c31737b

SHA256
cc720a67c3424ab465b7ded78e4e375f9d859afecb3f88f059a9a9b4c0c70d42

SHA512
7643d1775085d3422baf0161492818ae34047265cfff9df5c8d20fc73c2cbe7b1ed44a9d21a5ddba9d58e0a4bf85d4d85fbf319c7a2cdb2faae5e2010afa5298

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
512KB

MD5
7a09a8ee02f2652adc3ce8d8d4a62cfb

SHA1
5e2e29273a11b0e88dc9aa0e4b991d269e99591d

SHA256
0f6369c216038e6a16334e00b6b4b9d4b42f14658c7463a8714614e091dfad4f

SHA512
9c3017355eb92158b60faa3b55cde68cc8ec9886e2d19e3cca238083681afa8b5c447202e9004b58451771b543b17f7e08e36910f65321c677de91980a2349d3

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
512KB

MD5
dc8948d2134178f0582ecf06d945dcfc

SHA1
7d2e75c2ab7ff6031ac54dc1703452e8b5ea9352

SHA256
5f02b57ef6f1a1578147bebf44b7ef7523d7df6740479cc6fe6e57ee6cdf36ba

SHA512
655cb57908920cdacb36566fa8c8fb60a9b28389bae2ff603ee987be6d0fcb79c7675add32c50bd76b5cf6e4dd8bf2301ddf5dcbc0c0425a8fc714187c1bf94a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
512KB

MD5
60087aa076b3d57f229e9cfcf5663b5d

SHA1
ba4f5d02c38af41b8fccdc49915629ab4e5bdef7

SHA256
6c0b0a7da78003a4376395fcbf021bdb9ac3c412eb382968436e8c37ff224d07

SHA512
45c432ea508acfa4dbd4906be14aac13a2c95f1f6d8afed99fb6eb3e71725f2dedc258c61ed006edec46ab294697210bb37c5ba54142637d4064b88cd82e825a

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
512KB

MD5
26fa4781d54c7a016d9eec3e3029f453

SHA1
e88601ba381eea445ebdf8f4649c47bfdfaa979b

SHA256
e85171406c6a9243ef63ff864ea991881a939bebfefd615d2050b8ca20c4a5cb

SHA512
92e64004a4e5a586b2fdd3244a9b69e75394cc20ffdce19c852c6e35f47041dd68d89f9e06018d84c6212982e7a0062e7bef60a04fd88c245dc14e59f09c8338

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
512KB

MD5
053bf49b99a9a4c992e1d97e7adad539

SHA1
9aa73d095da2befa225c99bf27a6f2d718cc4d7e

SHA256
ae78c05c63aecfe914090f0aed7634972fe4c80b53a20eb28470a30f97970a88

SHA512
866c7e3458eb4c032232e8200ee7dfcc30b3557c3e76218aed6deb3c73d10e12b020621529a2dc239160d6674219f4c2c8455592392a18616f7af5e2d67c1f3c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
512KB

MD5
5125f7e189a421b423e29b3cbb97b803

SHA1
2f440c760e0e30c0b002f9de300092c1aba25ebf

SHA256
a2733ada87c2280c8fa3f4b180ff255dd94365ab5df0145064d2790feb1e7e82

SHA512
30dca3385798d486bb5fe10d14b56f5c5fc85684e12494ce943bb321bc1e180cdac1a2e5c797f5d8dbd94dc5c3f913763d32a9f89ccfc6d668e0a0e9beb29f42

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
512KB

MD5
dc6b2cdeee71a4629439fa0a158138bd

SHA1
e210ca6df8082cd127c5c4369d19479f10561558

SHA256
93dab2f28871f2b96c515d51e5c127eda6e6844123bfc6e5b1a1eed700efe3ab

SHA512
c05e02905708af24378490b482e27be4f7484ef6ba9ca7ef42bb195c0ab825627e755e916c0bd28a4ae1859d9738384cd9663687e6463cc5cc245abf8354a54e

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
512KB

MD5
ce3e66619db55d1afffc019783530afe

SHA1
e1d110842fcc63995945976275f46a5f51861e2c

SHA256
2fb00f972b696f360c35557f90f26725cb31e34dedb140e7d7851a2da92d2a32

SHA512
885f70a7347e9f41e491df7af126dcd57217c826f42310d57327bf4108807c8040b38817cbb800ceed54ab4f717bb4e6bc488157d6223dff7e978f6e78d25da5

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
512KB

MD5
3feb08ddff83314942b616a6c0b665a6

SHA1
9c9711cfadde37b78c2020378ad22490b649d880

SHA256
17cc0a3228a23a4a50fb5fae61407dc9d99429d460d6df5f47aaee765a5a7df9

SHA512
83d803e10dbc6078a61637d19ab50644dc8b6479a661bb7bcab66c039bf31d26dee9be3a97012720683fccf5479d075656b049d3f4290ac50eee8e1c6158cf50

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
512KB

MD5
9e64451989129795d04bee5a18e05cac

SHA1
b636404d99170b46a7844be3ac6127d568986eb5

SHA256
e26a4ebdf111dfd9726669ae454027a1d251b539b65c4349f469516fdcb8178d

SHA512
10512a5242d60ead86b151d6f5045c2fbb9ae49356ec5999a7a544cf4fac3ebdb217c3b147a2518c02e2ae520010cfce89a87d2a07a0c05efafa53d0a5d0da98

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
512KB

MD5
28db1d882d977b43849e859ada0ae2c7

SHA1
d17562c855870d27569dc8eaaaa143c53f596ca4

SHA256
5900c24ec2fbd466597d72813d09a45dbded2a81360ca09cf3bc9af491c166c6

SHA512
337f70d4e54b0cdad3dc36cbff4fe873d98c5488460cf39af3f473eef187edb0d4449de52e3177d83cafcc6b9f640b0bd4b01a9182d1c17ba064175fb451f010

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
512KB

MD5
b8d908821509f2a97f6ca7b9215db92a

SHA1
890cab5fabe59d6d9ceb4d7bff543f29600cfab6

SHA256
8c5ce1cf9eb0f649af87e2f7c8564b28e2e46f107bc97bf1044b70fc621c3eb8

SHA512
81af23854a0338ddc75b4e17964a1b9682a22c0e8b30cf612fbba55cbc20b99f991a074ff3473941309dfa9bcd7d9af4d6a724f32c96b90db2744659b3c7259f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
512KB

MD5
939068814839ad795243016dd8e48c3c

SHA1
a8d80c9c0a1756e359c59711d2ea43a92147350e

SHA256
dd5b67176d96b624d7eedc1bcf4f126d17eddd1a2402fa9807203c746a200cb7

SHA512
0657017b62b1fad291d785f4976487e3bb9c86e6e05721c89dd94f9c5794563cdce2200374412f22001223df61eb56e995753a4d1f16a08b6b5d611c042fe46e

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
512KB

MD5
0cf293462226a20ce1c45b4292ce75d6

SHA1
db914d3fc0aa4ad3a04b55fa2d6527071495371f

SHA256
60b76866bd2ce2b6e2c7d0decb96c99127dac1d564f7483e648771f2ecaf951e

SHA512
1ed1c99387321d26aebe9167b913d0cc9bc64e7bce03e882d104fe477870ab5139b3ed5cff536ec424007d0e7b9ffefe9d874edf465fc516e7be1022952aeb15

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
512KB

MD5
61bd7becd3cb451959632a885f87d333

SHA1
6d060f4997d259f6915f3a8b5648ed77af688d7d

SHA256
7ea89beccb29e4ecb80323732a018d9803f746c6d8e9b58774b8d9a79b4f71bf

SHA512
637e894d55323f33867ad60a0836cde052391fe568c20803c60f1debdfbe640a15cb40ac747c5dca7a34f62e5ceed599421fb8701d7bd5c5b3c19ce5e30ebf45

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
512KB

MD5
73b1b709ca3c4427c95437e757e000d5

SHA1
e71be747188853c2ef5b89859ad07f3b649cacd8

SHA256
2340d57eed4fd010e08c4810ea5bcfa9b92583d650ee19bbd6ebfc769ad2e0e4

SHA512
f716e9ca673a1a61f982d4240c41d8d4c848b5f47dd32c2fa8e8576e78ed68d96d8c978a23d33768885893ab5bec4993e5050c42f325dd7f5a2732181bf14ed5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
512KB

MD5
c18d55bbf0a73715a41180eca6c71163

SHA1
e117ed5c1560af46e35b055e7fdc28a3fc064ceb

SHA256
d11c0032eb366a568fcfa54deb7e9fcf875d81d43fd4d1ccc0c61594a9bce5a5

SHA512
4b18faff4e7d6d247784c3990969be84101a222133b844ef35ddf0e01a2089db82d24328cb252a7dc3fcd265f32aa698317ee65c0a892fb6f2cedbb85dc8e1f0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
512KB

MD5
f6524e2a960ef552d8b9ab80318e0d30

SHA1
a88fb4552948ead2ff99855bb558d503afd07634

SHA256
965cfc986a9ca68cba9b1fab7e0a9032f2ad68284a2ca69dbbf0775a0ae8e381

SHA512
2b5d33bb0211d499ddbf4f9c0396fe6084d4d232595c7b2a7589cd4336b8e107d765cb6d8a2526f5bad45a72e0cf519b75f424c3ca63770eae5fff83a10c2c94

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
512KB

MD5
880a24d4c8f75a9a17e114d3eaa8b08d

SHA1
4d39e57204f241f9cb1ec79ab34989fbfe0fff23

SHA256
a2ec6a5180312fda81819a13928736b860e46506a41904c6c42dec5783110974

SHA512
76398a88b5a7cb26d5c2ccb90f18e1ff4e30bddea3cba9e9ddddbc31c8ea2e491b4610ee37219207463edc314279b42f2908f32a15e5c9218b87be6816b3e3c2

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
512KB

MD5
837ce1a246576343e0dfcff79198e51f

SHA1
df2cc9e7b56f7440ca33cc568fe4fe23c23e9bbd

SHA256
fb63a7f9b553e45159fd9ea246c66697896f6c80006d6eb4a8b29ca14c361123

SHA512
bca9fd8417a675d8509ef3c9fe7363c6500ad403fa1786c31597e5742c14911ae0bf092968163dba309d878a601f08dddf4f804fb33c5852f9afd82bf10cb3de

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
512KB

MD5
9dae62b444a38d6e4c0e4dda7bae8001

SHA1
70b2b0f22b1417f910f781f0c6021c258bd8b865

SHA256
0f68d75a1dd1b32eeba8eb79b8a14680aae5b4690972aea3f77549de4fc99851

SHA512
80529fff2ac14ca490340cb508c5420212450ad98ff894d94a52aabe2020f694edc4b97ca821489bba073c231504f797a5bbf71f208ae84810cca5d38544c473

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
512KB

MD5
9121fd49df0315db09b02dff504eba9a

SHA1
a5643ecd56545f952a2eca431bbc221d68fef473

SHA256
73c56fc0ab0e76e698db15de33e11521be4eec3d87d55a1eef3517313a36d136

SHA512
b43024f9db97ee658968c8691aea3594ec1f0e90bb4816cb261a52fcbeac008065cb758e52e8de0a43857645404be25b8545c6286f751d22b5730e2427992c57

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
512KB

MD5
f388452d23d88bf91f16872ac4a9b8ec

SHA1
29ecbbe1d71c4cff59a12956b37312875cad3d4e

SHA256
aa0be74df19335400b208defd45246463fb630081f22621d8d3964f41df7a8b8

SHA512
90b6ed0d8624cea3bfe895a2b2343c56119d56eac4a5c4302440201d288703b971d3bd8abe0286f545869acad8286dcce69d470e9978ba0dcc31ae964ce3c860

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
512KB

MD5
a2846170f2baabcb9c05a513a5212036

SHA1
b0533852bda8ceb882363760e27294d54916ef33

SHA256
c08ac8d5223e86421b25024b12266e7e265e73dde51641a56fe41dee9be234bd

SHA512
707b43f3a82f7d96a360635f5dc90546476915ac650a5683d13a1475eb4698f88a45dc98236698cfd04b9cc60ad7269d6817dd842baa965d986f77d2a9c43546

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
512KB

MD5
8fe8ba2c99233c388c44fa81d972c6d0

SHA1
1e67570012c2874c5442d7d855471869f38f5701

SHA256
e7b40c6b769c6d50576af8406f574ae2cd8f1e3a37b0652eea92bcb6416b4341

SHA512
ba9761a183a02e7434e3a624152d9973db2f96bd665f754e1b93b07f2fafb8a07a54c10726730cec90295164d279c2af1e3fca81dfb096b34a2d7fa3cdb3e2f7

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
512KB

MD5
b8b316236990ed65fa5c072de1099900

SHA1
76283febcd250a266c0bc901aa50e39963c3c85a

SHA256
3f2a6cc84ce5bae00fd0ee6091141e3a8a8d2547f5d6a22052dfa1c817b3430b

SHA512
b3ba001540ddd1cc567fc4a79bf913378f244ad7b6a27069364f824d981d1b7005d57d5ef4f33885f38978cd7d966c203066dc44b814bc26827245de9d9cc4f1

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
512KB

MD5
6e6e4dc8d140ea08ab0b9b0852537cb1

SHA1
1482011b3cc0d4ac9fe8cf3d022de106549f50a1

SHA256
01ca66f57ea73be70175556ec474d142a40a38fa4d86a49d341c8cc472a34276

SHA512
2f23dd5966a50be3adf20e5f7a2d7ce45e4e6c91803b5784e58bdb8ab5128c26f316e17aba7cc0e768f586b86b40895fe34d4bab7c46fe1f1e97f75e0bdcb8f2

Download Submit
memory/376-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3080-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4148-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4152-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads