52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Size

352KB
MD5

bcd2ac07a00fedbe6466fc6c8547f05f
SHA1

abf9bb42c0588925519b0446445aed12a4fa37db
SHA256

52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f
SHA512

54bdeacc1b17a98762a9cabcbc8a3a3f0e857d01d9e5ee297eb2af22e557dd77435c240cb214411650ddc8e1c2664decd842939231bb4ec99fa42ed9a9b79ffd
SSDEEP

3072:d8LRPW1ZZUB2fOJF4EISi/i4gG4nv4H3EzkGSaXiT+9S+a1+s3wNxn:dku1ZZUB284yjwHL/T7Gsyn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Executes dropped EXE 31 IoCs

pid	Process
516	Cmiflbel.exe
4492	Chokikeb.exe
4068	Cnicfe32.exe
3816	Cagobalc.exe
2772	Cdfkolkf.exe
2676	Cfdhkhjj.exe
2428	Cjpckf32.exe
4952	Cmnpgb32.exe
3592	Ceehho32.exe
1344	Chcddk32.exe
2068	Cmqmma32.exe
732	Dmcibama.exe
904	Dejacond.exe
3972	Dhhnpjmh.exe
2384	Dobfld32.exe
4136	Daqbip32.exe
4388	Ddonekbl.exe
3068	Dfnjafap.exe
4536	Dmgbnq32.exe
5112	Daconoae.exe
4796	Ddakjkqi.exe
4420	Dogogcpo.exe
3456	Dmjocp32.exe
4732	Daekdooc.exe
3960	Deagdn32.exe
680	Dddhpjof.exe
4060	Dgbdlf32.exe
4432	Dknpmdfc.exe
3148	Dknpmdfc.exe
3884	Doilmc32.exe
1900	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe

Program crash 1 IoCs

pid	pid_target	Process
1560	1900	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 516	1912	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe	83
PID 1912 wrote to memory of 516	1912	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe	83
PID 1912 wrote to memory of 516	1912	52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe	83
PID 516 wrote to memory of 4492	516	Cmiflbel.exe	84
PID 516 wrote to memory of 4492	516	Cmiflbel.exe	84
PID 516 wrote to memory of 4492	516	Cmiflbel.exe	84
PID 4492 wrote to memory of 4068	4492	Chokikeb.exe	85
PID 4492 wrote to memory of 4068	4492	Chokikeb.exe	85
PID 4492 wrote to memory of 4068	4492	Chokikeb.exe	85
PID 4068 wrote to memory of 3816	4068	Cnicfe32.exe	86
PID 4068 wrote to memory of 3816	4068	Cnicfe32.exe	86
PID 4068 wrote to memory of 3816	4068	Cnicfe32.exe	86
PID 3816 wrote to memory of 2772	3816	Cagobalc.exe	88
PID 3816 wrote to memory of 2772	3816	Cagobalc.exe	88
PID 3816 wrote to memory of 2772	3816	Cagobalc.exe	88
PID 2772 wrote to memory of 2676	2772	Cdfkolkf.exe	89
PID 2772 wrote to memory of 2676	2772	Cdfkolkf.exe	89
PID 2772 wrote to memory of 2676	2772	Cdfkolkf.exe	89
PID 2676 wrote to memory of 2428	2676	Cfdhkhjj.exe	90
PID 2676 wrote to memory of 2428	2676	Cfdhkhjj.exe	90
PID 2676 wrote to memory of 2428	2676	Cfdhkhjj.exe	90
PID 2428 wrote to memory of 4952	2428	Cjpckf32.exe	91
PID 2428 wrote to memory of 4952	2428	Cjpckf32.exe	91
PID 2428 wrote to memory of 4952	2428	Cjpckf32.exe	91
PID 4952 wrote to memory of 3592	4952	Cmnpgb32.exe	93
PID 4952 wrote to memory of 3592	4952	Cmnpgb32.exe	93
PID 4952 wrote to memory of 3592	4952	Cmnpgb32.exe	93
PID 3592 wrote to memory of 1344	3592	Ceehho32.exe	94
PID 3592 wrote to memory of 1344	3592	Ceehho32.exe	94
PID 3592 wrote to memory of 1344	3592	Ceehho32.exe	94
PID 1344 wrote to memory of 2068	1344	Chcddk32.exe	96
PID 1344 wrote to memory of 2068	1344	Chcddk32.exe	96
PID 1344 wrote to memory of 2068	1344	Chcddk32.exe	96
PID 2068 wrote to memory of 732	2068	Cmqmma32.exe	97
PID 2068 wrote to memory of 732	2068	Cmqmma32.exe	97
PID 2068 wrote to memory of 732	2068	Cmqmma32.exe	97
PID 732 wrote to memory of 904	732	Dmcibama.exe	98
PID 732 wrote to memory of 904	732	Dmcibama.exe	98
PID 732 wrote to memory of 904	732	Dmcibama.exe	98
PID 904 wrote to memory of 3972	904	Dejacond.exe	99
PID 904 wrote to memory of 3972	904	Dejacond.exe	99
PID 904 wrote to memory of 3972	904	Dejacond.exe	99
PID 3972 wrote to memory of 2384	3972	Dhhnpjmh.exe	100
PID 3972 wrote to memory of 2384	3972	Dhhnpjmh.exe	100
PID 3972 wrote to memory of 2384	3972	Dhhnpjmh.exe	100
PID 2384 wrote to memory of 4136	2384	Dobfld32.exe	101
PID 2384 wrote to memory of 4136	2384	Dobfld32.exe	101
PID 2384 wrote to memory of 4136	2384	Dobfld32.exe	101
PID 4136 wrote to memory of 4388	4136	Daqbip32.exe	102
PID 4136 wrote to memory of 4388	4136	Daqbip32.exe	102
PID 4136 wrote to memory of 4388	4136	Daqbip32.exe	102
PID 4388 wrote to memory of 3068	4388	Ddonekbl.exe	103
PID 4388 wrote to memory of 3068	4388	Ddonekbl.exe	103
PID 4388 wrote to memory of 3068	4388	Ddonekbl.exe	103
PID 3068 wrote to memory of 4536	3068	Dfnjafap.exe	104
PID 3068 wrote to memory of 4536	3068	Dfnjafap.exe	104
PID 3068 wrote to memory of 4536	3068	Dfnjafap.exe	104
PID 4536 wrote to memory of 5112	4536	Dmgbnq32.exe	105
PID 4536 wrote to memory of 5112	4536	Dmgbnq32.exe	105
PID 4536 wrote to memory of 5112	4536	Dmgbnq32.exe	105
PID 5112 wrote to memory of 4796	5112	Daconoae.exe	106
PID 5112 wrote to memory of 4796	5112	Daconoae.exe	106
PID 5112 wrote to memory of 4796	5112	Daconoae.exe	106
PID 4796 wrote to memory of 4420	4796	Ddakjkqi.exe	107

C:\Users\Admin\AppData\Local\Temp\52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe
"C:\Users\Admin\AppData\Local\Temp\52a175c6433d19a4b73bd3af1de949719916b32e24eea31c2fa717a90208db4f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\Cmiflbel.exe
  C:\Windows\system32\Cmiflbel.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\Chokikeb.exe
    C:\Windows\system32\Chokikeb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\Cnicfe32.exe
      C:\Windows\system32\Cnicfe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 396
        33⤵
        Program crash
        
        PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1900 -ip 1900
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
352KB

MD5
75c7da9c3561e6c40617934388102c12

SHA1
96f9f8f8923bb2a50d70f342b05105053874e29e

SHA256
76f13e3e308ff7816143295d77a6bd96f2333638960cdf158dea8cae2a9b55d0

SHA512
4a9c5c124818c95c73a6a5e40730f0a0e398ce08be80809429dfb2ee89242e79b6e9b631982774bd561b7de51288a4fbc059a8778b1c4cdbd8d300d4c80c6a02

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
352KB

MD5
f59b654af377aaa1bbe35921d3060e3c

SHA1
c30338726f7eb0003657bbfdfa96eeecc409b1e9

SHA256
af12a3838176679dd897e17c950daba05216151de3958c469984224925a0d53c

SHA512
b376ad43bc2ec3fd9d31b9b99b321d5e4db5ac4464b85579986c1e93d4a85ba864d335d5c979c975733f055de10abc6eed80e4f474906b0ebae36348d9b12ab9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
352KB

MD5
f719588d31840a2fe6e0f17433e3304b

SHA1
3813b0ce3566def15eff198703a1b2239e0df01f

SHA256
26ddb5521f6a4bd0b90ee8170dc83105e9f1f8f390f95894ef20ad5cf77098e6

SHA512
0ef8e5a349dc156a2a06670074e67a73f52117755397ed35f09b38f53900e7b62686d3070189f8ea9676ef254cefe484712f41c7d8295e142fcd6ef42aa8ab98

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
352KB

MD5
5f7d7476b15491b060e258f788e52ed0

SHA1
471a9e77fa7a8af482f817bd3469f3bfabaf670a

SHA256
0819e064298b55610ca1b679a3f0c768761f96076fe12c508b1514e58b875170

SHA512
c1f91fb0cb80b7d6242040af216398295e17b02ad01af9d0e88f15b294b58e1733eab65aecf88553b1bfcdd10fe1a4bf4967f35055f739d37befd3aa8204378d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
352KB

MD5
0d7ba43ffb2cc699220f4e2982261820

SHA1
d257807c8845fa6cd875acd035330cc752983fbd

SHA256
a91c46534e5df9303f8fbe2a0ba49b3ebf7f58c649d851158565037d1e09c104

SHA512
72d3b75e39dd014e4709012acb6493bd1d5de64d3f8ab5c24b36fd9647c3889d2469d3c84d4a181a3b90691637c6285b21009ddbe6b2f91edb05e000ae4ca53f

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
352KB

MD5
f875a9217c994592143ef0418f2db216

SHA1
1fbbe1a407ef84c3b0220a9712094e08aa8c293a

SHA256
cd101ec8133c2fd5b2c9d7571c776345b200437032fde9c24c8ffffb45730650

SHA512
904037171acc16be6645b21f3df66eda6ee28ef6cc115c83ba1071fc5f658269485a9e7610adf4d06d347726b8c985b8e23cee257d849bdd739d50092d401d96

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
352KB

MD5
de7da99edc5f3710cbe3ee7d760c7712

SHA1
1ed9ccdda8d833c58367762b4dc3e4d9acb3d877

SHA256
ebeb690deb1776445a5617b93acd31462ea831452e8bab668116192f8716b2ee

SHA512
f7ba2c7364d79061689596b919c8e48a95a05f6512c45bce72a6097a8f5447e7d487962b157ba4f21b1f6dd467a2cf5b041fc9514775e84d9e8d70f8fd109d62

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
352KB

MD5
e6d56afb03884bcd65fe7a6c4a3e0749

SHA1
31104bca6fa8b5d0308d913563e4a62f30f92cdd

SHA256
7ae3381085c4eaa569914b4d5767cf138ccdff140e9b7937fc5cfe7b538a00d5

SHA512
546788f2ac260843087c7a5c53fe0bd889067624c5206b56c1a26f2e2957ffb40789a096433a28ba6e9f973534b2f09cadf39b150cf3e50f6b890fd974d5efa5

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
352KB

MD5
6d10fa759241b54ce9e6d4372bf3a898

SHA1
c6719e6f5f666788ee54e187a9dc5fc18e5eabfd

SHA256
e11300df95d9fbf1c65310d8e11d2a0d38843cfcc84f1168933e2b806068e506

SHA512
1da6201f7398560f4a84c384d4fac7bb50fdbdaad1ca63f6216fc193632d84cd062da05c0544fd425311a1a4995d110f54e2244fee5c705ab4982cecba14c1b7

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
352KB

MD5
58debc36228dd26ef50c4656966c3909

SHA1
960ce85970409b4c80b6701483218e859629412a

SHA256
5c282b50096a955d9ab6df47d4864f4ccd57c65f5e56fb77dd6c7596f7af5d4a

SHA512
75a5211977c2252ed2ec7d4c864dba4dd42516e26ce9caa6122d3c3ac252248c477d00ca5fcd0a084758629b132f449a22320b0c834c3eee4e1b44fd968d0649

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
352KB

MD5
4c6707a78a7ee908a932df3fbca19469

SHA1
368acb0964f423a2769d137b8384cd8d8915b95f

SHA256
67e721202a639115e21c675efb2a72379cd21671e8ef005baed5addddec748c9

SHA512
8c460d8ee45afaafc83b315b685922f36317765d0a771c93813dd4cbd0d5983beb9cdc553cabd869aa64b3d86d15b9bb62bd6ae98666fdbf1dcde98f1f69c824

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
352KB

MD5
5a413a288fb1338990c1ba84d6fee284

SHA1
b1d859878068f324814c51df2b3c44c1cb3b9ac5

SHA256
0401a90ba1a0b56505aca124ee6ba5b097925555aaaa7ef67cd3bbd81a24db18

SHA512
e034098de565fd5f71d45e47d6a1e11a31858ce43fd047731873aaef16c1345b1805650cae530d4331d0fdd144f31096d86c964475ca749260c7f1666888e47d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
352KB

MD5
82d122a78fe25ed42f719c4551d0d8a4

SHA1
b813791b087ec11031e995835f12f3723cd43d87

SHA256
2d1d4bf4ff3cb11f1ce7c78b20597cdd37280e3f686caf123326d995ab92d299

SHA512
d36fd22b87007e7f5477f1983b15312467930de787ee79d48a63aa80fad3b981e427dd7992bb576b469bb8d46743cc65211e8a5c9882ddbc5536a410b2b4f2e0

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
352KB

MD5
2911a2d7cf89e538e211ef581aab5f1b

SHA1
467078835df32909896b802abc37fef183417fe7

SHA256
fbe9ff37cba1491b374b828886c58379e1d83d97084025dbc2ee8e4cd3abbe14

SHA512
2c873c59fd6ce89ac43f09ee09d79775e1fb025882f74bc5c24f3ee4e6d32b2ce434e91a3fd61907a0025a29d381f07b18e4e3d888ff3e714ff793696a062d5e

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
352KB

MD5
e61baaadbca6caf6722a835154911303

SHA1
86790bea29063adfde4516933cfc676baa0345fd

SHA256
7d339e16f5fa8bd2e5fdab487cf5db011bc120559b2eb4eb5f8742fc20fc59dc

SHA512
04e1b95990c66bacbd3a368863ba2060208aade1375907ba9de6041e10c338c48eaf5c787b2d4bb78ac3fe86a02746eca44d56144dda02e2f668f743ddb7fda8

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
352KB

MD5
34a04f9cf5392186b169abbdc1ebedd0

SHA1
9652bfa639da9b98b24293999fcb74ea7e25299c

SHA256
f38f45a3f3383165827d39e76f80a54c33b69da10e27417489951c8b19d7bd57

SHA512
31ade30da33a7ff021dcc647f1d4d395b7a8d07ce10eee6ecad2cc95242b67543eb40bd488c0cd44d26157071d20bc2c07397540629caabfcb7d32083b05949a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
352KB

MD5
741e90995a4b8938999129756b610391

SHA1
011faccab9741022c4872a44fadfb037fe1e45bb

SHA256
b1424b5fe6bb9a905078c2f8a3b2c65ff50daeb3f4de14ce98d0c4e2a4e4164d

SHA512
b4f6f6e5adbf3ad2b4058e7f12cb00179b1f181d0e9bd975d1f72b5ede4e472657f1e710db18a758f530ee4490b6f365adf64c73c70f6ea093891eb5e68f012d

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
352KB

MD5
306583541f40f47aa381a9eebcabdb83

SHA1
6448b8f5545b8f6fff84a0aef469b51aee81180d

SHA256
ef0564f4013b30bc5a2936cdb0aba2d2628f974742fd75d65d84a8d678d8feae

SHA512
9289c3306d2302c98fd2f25946ecf8b550ca025acf921df24eb409a7ba683ee75a571cf961fa67b4bba165492b7bda18f85f24e425e4ce3ff266cceaff5aa5c7

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
352KB

MD5
344a947c1ef1edae941ce0c1a283deb9

SHA1
db29850327d02b4e19410b4ed54d2d6cf91cc4c7

SHA256
7f5022f02caf6adfd801a8b06547de281360476fd26d2e8f77e728a44d42e7f0

SHA512
90caa7bb7ff9434793e1a6d42bf1ede17e15ee79f1fdc3ec38a5eff2bf6ce9b828a4fb41cfa99eb47ad6599d64f040b88c61a5556649df2a858f17c8315855a4

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
352KB

MD5
fb65601bfafa17646324f76b0c0099fb

SHA1
52d515985db86641472fd9f3911353beebff84f8

SHA256
147a7a9b70b276c1a10bdc428d1ff3d2ae56bd54b37875eb6d1581860648bb73

SHA512
39ef05e9555bbd7f8e85eac6bb7d1a57d918ef6750493a88f8512178c85df500686f6e0c623ffea8e75be81ebfe8188e2748934ff39f6d15b34a596568a61604

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
352KB

MD5
505ab69889fdc55643dafbb2fbb48564

SHA1
741c6b164e8165d479bd8bc3319ecb9a1c61ec25

SHA256
a1e1c07dc0060728b6e30396fef2a22eb7d8728ff18c00db86b569a53969011b

SHA512
1221121db13359ed66baaa32804585c22c6a8f47d774cec81fc166539282d0b99eb25fc791bd8fb45cc99f8153428335d77de3b041983f2ea42a76927cf4103e

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
352KB

MD5
477a26631378ed93041fb10dba568b3d

SHA1
8962e5f3b9010bc1520f28891686742ea20399d3

SHA256
24903da66fd2a90ae0f8f02d8c601df70113d1fe80d2ff5aab2d0f75d6aedad1

SHA512
3de55e3e2ecd15de367026917574094ea7c0d06866d15020b19b5a949c81dd6e3c52a69fcd856b70254e6618c7c309fb1fdb08a46f4c72a9c235aded97900967

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
352KB

MD5
8b926e78ede790bb293f6a86535bba02

SHA1
43f68bb468767d0232ecb80f2b688e3e06217e6d

SHA256
dc4bcf6fb0b7aa7bd0ebdafa19e9fa8509c51e3302ea6cd246b2c9d59199304e

SHA512
c9c58a14e28e6ff5fef4262674448eca49dce43e26a14e10360a998a8d6a479d5be7de7cd2686fa2bfade1590aa36c50b48ac2393de90ca512ceb375767ab5f5

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
352KB

MD5
f41a3f0ef8af5f8c2fad196dfaa792e4

SHA1
1b26a7a4eb1955be836e31156c0b52097dc34b3b

SHA256
fa97671209a6435c7e9dc41c1eedf34c8d1b18a847b6a4edd8f717d7401be66f

SHA512
d7ea79e805ddc95edf5d89dda9366e53d086213948f01702c1a518bb1b037beddd0520640e541029ad26c323a24308b861a7d1bcc639eb8ed8ab956b3574349f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
352KB

MD5
7d15bf401abf4b7421b579d193f38cdb

SHA1
f41408ea2ab41b8b6cb5fa59c6dce684123790c5

SHA256
f0c198a4876c72aa5aa9039445814b39776b0c18e37b3c5031352e67120e4b38

SHA512
d3d30485a32447e490b7f4a1e42c36ab91dd4221ef357d20289358cfe97929adbf6feb6cef6a594813a0518c86971e4ccf0a3874d8d030e4137275b3f679a7e9

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
352KB

MD5
d41ad1aff8664cdb93d88d76fdd7d169

SHA1
d1f83667e58395f4d31cefd1f0ccf8121e411637

SHA256
3a22766289e9af7f073588699a7dff5682c804f33b7e9a8cfa77170698c82fd6

SHA512
ac672bd7413caaad263891b788572a829a2b5693cee44851a1e489feaf5d1b083e1e992f4286384a0aeaa20abd306cd21ef65cfb7a713c8de431394b0d0cecc9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
352KB

MD5
39d579c901f39d8fa74779da6b4405ef

SHA1
a6e7253dcf1ca17fc835072e7e742bfa781e24a5

SHA256
c38a18581303fec9f1bb276ae21322386701f2c22c4ba924abad1bd5c3caac83

SHA512
b92ff5deddc7391587e4b211f377b0bc1387abbb00930cb5482fc8ab1e2d4434e2eda24183e5562b14af692e40286898532f9287dacba1980e80101dd53f0cec

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
352KB

MD5
ac01993aaeea2ba9e64371c9d3f3a008

SHA1
88dd02e611e9d24e9bb1cb0a9d4394a750e39ccb

SHA256
39b409167e76ee4a244d68f36a8bdf6f71a8ef195222d7584702821f71378191

SHA512
289c9a83795db8145b96393977c70b3d440ab3d0500bb62f0d7b13f651dc945419320a7a77ae4dd2b53e623f33e97b4ee6e213d9c871c79555c92d942baab8b7

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
352KB

MD5
163a002e0031ab67c618620071483dd8

SHA1
e6761c7549ed1cc135f14f240a57065ab394193d

SHA256
e1150c22d57a4e233c56391e480ce0d904a91bfe098f70882d027b5c59da243a

SHA512
0e6a5137634c58a4d1820c382d0355800a8b1a2845c0e2ca3a2d2256edefe311fd3385ba4bd9d62e493633cba33b9e9e671785bf4815b1a570a97dd9572a1785

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
352KB

MD5
63e749cc48b196ecf2a51b234aa269f2

SHA1
77509c3a2eab5ae346ee1411676c96063b80954d

SHA256
00aed9726b94e1bead609a009aaf8628767d1b3577777cbe73b8eb1fdc45976f

SHA512
44eb5111b8f291c07ebb92716d94e5a3acaf4d5791566e8c87162064678b5d58c0547b49bae8b6dcc8d2385a9ef69cf4f52a7ed47fa1b3ef06a932acffa1f56e

Download Submit
C:\Windows\SysWOW64\Nokpao32.dll

Filesize
6KB

MD5
58b47ae3a4c58cee723be31a45ff0e01

SHA1
260ba68d62f58fd64b1ceb7ca71d6f1afd995da3

SHA256
48b2ea507bed23253437aaa352b49ee555f66cc9fdb983d3e87995383c4e39ec

SHA512
430d12cf22e22448dd87596ad2181dc4bffb79929c51831305da684959b71fd06082ff0241016c8d0509e26e4d0e413021c02486bb4cac52f63d647237e9738a

Download Submit
memory/516-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads