47e2294524d315c5645cd62916a770b5d937adc87b39e50f0124239a798b0282

Analysis

max time kernel
103s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f15788d2a1dcdf8325b218176bc9e6b0N.exe
Size

347KB
MD5

f15788d2a1dcdf8325b218176bc9e6b0
SHA1

6a19272d5324b5eb07f58b662a9bddaa0a39198c
SHA256

47e2294524d315c5645cd62916a770b5d937adc87b39e50f0124239a798b0282
SHA512

917c5c9b557bc26a87f325399321aa3bc1b86f2c95524d341e58d36151afe23956ac055b1a732965789a8c950d86214865726d3c63a4507368cf9eb6272021a1
SSDEEP

6144:9Fkq5Fx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:w2x4brRGFB24lwR45FB24lEk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe

Executes dropped EXE 34 IoCs

pid	Process
2488	Cmgjgcgo.exe
1172	Cdabcm32.exe
4356	Chmndlge.exe
2348	Cdcoim32.exe
3680	Cmlcbbcj.exe
1488	Chagok32.exe
840	Cjpckf32.exe
4240	Cdhhdlid.exe
2980	Calhnpgn.exe
2660	Djdmffnn.exe
2732	Dmcibama.exe
5068	Dejacond.exe
4596	Ddmaok32.exe
4116	Dfknkg32.exe
3840	Dobfld32.exe
4780	Daqbip32.exe
4256	Delnin32.exe
4480	Ddonekbl.exe
2668	Dhkjej32.exe
1552	Dkifae32.exe
4024	Dodbbdbb.exe
3460	Dmgbnq32.exe
760	Daconoae.exe
1440	Deokon32.exe
8	Dhmgki32.exe
5060	Dkkcge32.exe
3940	Dogogcpo.exe
2036	Dmjocp32.exe
4308	Deagdn32.exe
3124	Dddhpjof.exe
3604	Dhocqigp.exe
4776	Dknpmdfc.exe
1860	Doilmc32.exe
1920	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	f15788d2a1dcdf8325b218176bc9e6b0N.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	f15788d2a1dcdf8325b218176bc9e6b0N.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	f15788d2a1dcdf8325b218176bc9e6b0N.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe

Program crash 1 IoCs

pid	pid_target	Process
2156	1920	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	f15788d2a1dcdf8325b218176bc9e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2488	4008	f15788d2a1dcdf8325b218176bc9e6b0N.exe	84
PID 4008 wrote to memory of 2488	4008	f15788d2a1dcdf8325b218176bc9e6b0N.exe	84
PID 4008 wrote to memory of 2488	4008	f15788d2a1dcdf8325b218176bc9e6b0N.exe	84
PID 2488 wrote to memory of 1172	2488	Cmgjgcgo.exe	85
PID 2488 wrote to memory of 1172	2488	Cmgjgcgo.exe	85
PID 2488 wrote to memory of 1172	2488	Cmgjgcgo.exe	85
PID 1172 wrote to memory of 4356	1172	Cdabcm32.exe	86
PID 1172 wrote to memory of 4356	1172	Cdabcm32.exe	86
PID 1172 wrote to memory of 4356	1172	Cdabcm32.exe	86
PID 4356 wrote to memory of 2348	4356	Chmndlge.exe	87
PID 4356 wrote to memory of 2348	4356	Chmndlge.exe	87
PID 4356 wrote to memory of 2348	4356	Chmndlge.exe	87
PID 2348 wrote to memory of 3680	2348	Cdcoim32.exe	88
PID 2348 wrote to memory of 3680	2348	Cdcoim32.exe	88
PID 2348 wrote to memory of 3680	2348	Cdcoim32.exe	88
PID 3680 wrote to memory of 1488	3680	Cmlcbbcj.exe	89
PID 3680 wrote to memory of 1488	3680	Cmlcbbcj.exe	89
PID 3680 wrote to memory of 1488	3680	Cmlcbbcj.exe	89
PID 1488 wrote to memory of 840	1488	Chagok32.exe	90
PID 1488 wrote to memory of 840	1488	Chagok32.exe	90
PID 1488 wrote to memory of 840	1488	Chagok32.exe	90
PID 840 wrote to memory of 4240	840	Cjpckf32.exe	91
PID 840 wrote to memory of 4240	840	Cjpckf32.exe	91
PID 840 wrote to memory of 4240	840	Cjpckf32.exe	91
PID 4240 wrote to memory of 2980	4240	Cdhhdlid.exe	93
PID 4240 wrote to memory of 2980	4240	Cdhhdlid.exe	93
PID 4240 wrote to memory of 2980	4240	Cdhhdlid.exe	93
PID 2980 wrote to memory of 2660	2980	Calhnpgn.exe	94
PID 2980 wrote to memory of 2660	2980	Calhnpgn.exe	94
PID 2980 wrote to memory of 2660	2980	Calhnpgn.exe	94
PID 2660 wrote to memory of 2732	2660	Djdmffnn.exe	95
PID 2660 wrote to memory of 2732	2660	Djdmffnn.exe	95
PID 2660 wrote to memory of 2732	2660	Djdmffnn.exe	95
PID 2732 wrote to memory of 5068	2732	Dmcibama.exe	96
PID 2732 wrote to memory of 5068	2732	Dmcibama.exe	96
PID 2732 wrote to memory of 5068	2732	Dmcibama.exe	96
PID 5068 wrote to memory of 4596	5068	Dejacond.exe	97
PID 5068 wrote to memory of 4596	5068	Dejacond.exe	97
PID 5068 wrote to memory of 4596	5068	Dejacond.exe	97
PID 4596 wrote to memory of 4116	4596	Ddmaok32.exe	99
PID 4596 wrote to memory of 4116	4596	Ddmaok32.exe	99
PID 4596 wrote to memory of 4116	4596	Ddmaok32.exe	99
PID 4116 wrote to memory of 3840	4116	Dfknkg32.exe	100
PID 4116 wrote to memory of 3840	4116	Dfknkg32.exe	100
PID 4116 wrote to memory of 3840	4116	Dfknkg32.exe	100
PID 3840 wrote to memory of 4780	3840	Dobfld32.exe	101
PID 3840 wrote to memory of 4780	3840	Dobfld32.exe	101
PID 3840 wrote to memory of 4780	3840	Dobfld32.exe	101
PID 4780 wrote to memory of 4256	4780	Daqbip32.exe	102
PID 4780 wrote to memory of 4256	4780	Daqbip32.exe	102
PID 4780 wrote to memory of 4256	4780	Daqbip32.exe	102
PID 4256 wrote to memory of 4480	4256	Delnin32.exe	103
PID 4256 wrote to memory of 4480	4256	Delnin32.exe	103
PID 4256 wrote to memory of 4480	4256	Delnin32.exe	103
PID 4480 wrote to memory of 2668	4480	Ddonekbl.exe	104
PID 4480 wrote to memory of 2668	4480	Ddonekbl.exe	104
PID 4480 wrote to memory of 2668	4480	Ddonekbl.exe	104
PID 2668 wrote to memory of 1552	2668	Dhkjej32.exe	105
PID 2668 wrote to memory of 1552	2668	Dhkjej32.exe	105
PID 2668 wrote to memory of 1552	2668	Dhkjej32.exe	105
PID 1552 wrote to memory of 4024	1552	Dkifae32.exe	106
PID 1552 wrote to memory of 4024	1552	Dkifae32.exe	106
PID 1552 wrote to memory of 4024	1552	Dkifae32.exe	106
PID 4024 wrote to memory of 3460	4024	Dodbbdbb.exe	107

C:\Users\Admin\AppData\Local\Temp\f15788d2a1dcdf8325b218176bc9e6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f15788d2a1dcdf8325b218176bc9e6b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\Cmgjgcgo.exe
  C:\Windows\system32\Cmgjgcgo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Cdabcm32.exe
    C:\Windows\system32\Cdabcm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\Chmndlge.exe
      C:\Windows\system32\Chmndlge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 408
        36⤵
        Program crash
        
        PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1920 -ip 1920
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
347KB

MD5
43713987f6abf35c0890f8fe8d9cda8c

SHA1
d3b669a07738a18d61f11bae8511b9b023226750

SHA256
a69328d5398bb8407f525837ea4e378d9c795d78f410ae05e7df164ba387a817

SHA512
ac14416287ed4ce2bc915db832cc2554dbd29de5cc0bb8823c9234e37e6f06540931f8b30f23ddc41f236fe21c1451e24266e9bfa925233f5ae6fd1636f51d68

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
347KB

MD5
362487fabf33348b4aad1e304e9fd305

SHA1
390c7d7616d33e091e73b2b8cb6326c1b14fbd7c

SHA256
ec7745dd18cd954284800feb38ceebd671365e96d9978d799dd75059bc23be3c

SHA512
fa204c16f3560601fc2f6e76c75ff1beb178ba95b059b53f4c25e0b1d863cd251c2c056d886d5b7a522085802953973ab98495e929019796af3b6b51bd16922a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
347KB

MD5
f74bf13ed9ed96d8d5399aa5908c5e5a

SHA1
195897fdfb220377627a83a4e6da9772334a4fcc

SHA256
506f339fd233727c94fc453565afe3d4e6ea55c73d745805490c39589d902591

SHA512
fa94190e96521a1a46f4edc88424fb8b96f26e623f3c6e220d2b779b258f8b5de5568bbb86b7c4c269dd1e2ab478427e027ba90a76ad0b265b900d9129f5aa6e

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
347KB

MD5
f613462ee16e86dbb70da6181f34ba8f

SHA1
62d2ff8af779a673b6263ef67998405812967ce3

SHA256
f56898eb78795115cb752ac46110a1670a15b9b4b0ac2c1c660b3b3429447b3a

SHA512
1ea20934db6ca87efde4d9da68ad5b528b58c5313fccfb932bd496958791cd0dd61eb6ef0a4b8ffeca00f0d5b8e0ac981a3b6f75ddf42e9a7b83cf4377e47ce3

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
347KB

MD5
6408842a5709f23b1b913c71ab4f380e

SHA1
1c97454d603f12ba1263d54700e1975ae0a4169f

SHA256
0a67a4361bc5f54d32ef589c256752fffaa8e0c4f697886a2bd4ed4484643636

SHA512
1e36e8d4913f610a7dd0f656e7a9b6177893ca3f37c75fdf01251520a92f94746cd55299f37e0ec65edc3c1632615f6920a3a2d344380e537558065e619bf8cc

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
347KB

MD5
809a8aef673acfbcb4b57c5ef1cb0aa9

SHA1
8fd3bbd0e3901bff87c809296df65a494c91d922

SHA256
f38a74c362c01532abc8b272838581a59daa9d6875fc4c667842e86076c0a1ac

SHA512
8e0dcd74caa740364375c087ae71e4bd1c2456c49e03609a8a79c6dd536734678743465817c12b78a269b12cde108926bc890fbf370ce9ee6cc45dcb0cdf7146

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
347KB

MD5
db7e88ca2e9a11aa5aca6bdfb258e049

SHA1
4716eb4f61ff2b7dbaa525e17bd9bed28a8460aa

SHA256
5ed80100e38b3510ab9964b4d9c986d237ef38f41164311aec3a604575f7a66b

SHA512
def5029a445dbf9a8d456543fb689cb4e4789d686a5f54e10d4c779d8e146d4a61fd81e1e7e9f98ab77587f86e1c0d0bc8c0c7a4d7d984d18e51afbd062e3de5

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
347KB

MD5
d90be68bf25619e415304d908ea23dc1

SHA1
f5449182d0a1c22f34569d1c3787c460e0a2b513

SHA256
d41d1b11e80ce9849a16d9c0210b9e7eacbd69d31202e1af88e5a876d4f5636a

SHA512
effc15fb6554175a3801bc5d67dcdd6cf52e40590ad735d2308c3dec02c729a5d67d3ed6b395df277369576398b785aef083522e3f6ee62d8765898fabdb0375

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
347KB

MD5
29e19e5d7ad32b96ec7bc9b68627ff0f

SHA1
7ded34d31b225061f85bd00735e527218868ab74

SHA256
b114855899b0c3b14c9426bd8b95a768cf0449dfadbb75c1af66a59281019d90

SHA512
7028657c5fc5cac9de59f2e3fba3b795ffb81881a381e551e57f83cf7058efd6fa5c9b03b5d0469adebe8b42be78379679bb77eda820afe46ed81e98f04e8f0e

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
347KB

MD5
96ab0922b37b43820018ae6efd826ddd

SHA1
842cdec954db491e37fa8ac6b4c4d463875a5345

SHA256
92f0adc3175f1ce2e45d8f8c791d0bb972c8d46b93617017a51fd287415c653e

SHA512
e599f388ff55582c31f6f36d0ccaa3cce329b006273799f11577f20eea517a9b583ee518e07f9d18dd7f6f422432292ece1b81af7371fee9b062e12b271e070c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
347KB

MD5
ce12788d39ed9ed0ca4e47bdf69843f3

SHA1
b804329ecb8a9e56554dd8c1d5291a2bcb60e786

SHA256
6abf1c4e8a8a252a4bfbc1efd9c8c46dd3fdaea6fbd3d8632c1ed9be82600fab

SHA512
5929172d5b05bcd469a9799dd3b4e9ce472ec4e96ca8e75b600a877e5f06750bea6aff3e5605531db1fde6a99dec4a12c7b42dc574114fe07acf6e97c3b8f6d5

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
347KB

MD5
e2a4b3edf81c441a0f3363402d805ab0

SHA1
80e11a2d8cd3186b224b73ee8386173cff01af59

SHA256
9359eb35ed7108a5848a427c4cf433ae6e603bf9a189fc120b6729a4530bd5a2

SHA512
702b74fed9511609b53111162ae00116ada2ce5caa27f27c93672c0f0e504488e3c1408a87c22b0e70aaedee000877f57e72f9f0186e39ed96597704f68e6df5

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
347KB

MD5
687799c3f6cea1d1575c4c19aa3563af

SHA1
0e52745b12463e6070f0361cdeacbbb0d4dc4eb7

SHA256
abe7c87540392adc567f2c154d910e5d189b8a341c7aac5d70931c13ec2581bd

SHA512
c7a7a3cf287104e9f13fb86c2e1a942cb2c479fd93826652e19f3a0d5dad6a432a7707cab4e2a39ede86dadbee622486ca836d5efb99b2c89f114ccb153f1661

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
347KB

MD5
dc06fcc61cdf1f59f0be51d2129adbe6

SHA1
a61df3ea31359db2f42100b241d786b67cfb096e

SHA256
1884df9b45125b879f689618a0cfeb3cad7212280cc2e5479991ed21adf6ac8e

SHA512
bd045b8591acaf9de0cb21bc324780697934f34c429e9014d58a4770659d434c3a9117e130f20c382758ba3677929a615cc85699a8b22e104e4309be0fd5f267

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
347KB

MD5
009c95258c44f6c7e6acd1e20a6c6e54

SHA1
c259691e8e7de02dafbfcd99ab0f3cc784c7ecb5

SHA256
1e8c6854f60f33f635450bf9e61a15b63d8054a8113f4927217058a8daa5b22d

SHA512
2e632b65877d362233da7153b3bde798f0f729bc159870c4f6231eca85fbb9ab625e50a65f65466bde2bfc5a8cd04e8335dbf552526972dcd2e2200c0b1508f5

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
347KB

MD5
7492334dd0f02fdbcfb45657df1be998

SHA1
a3fe8b6aec09669cde3edbc6ba99ac74448ca203

SHA256
cd5439bfee4cc5d3fcb216889d92f9efb9340e134da95b82981f1b547c8b4b10

SHA512
7ff7126b8f4ba7f4c10a27c81dc233ab01c375ab3137aa5ec7585ad2a6faf91a8ae6a4cbb66cf2d37989ef179d5b24ce2d73e06426488913b7006a2a5b39a6c2

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
347KB

MD5
845b410357cfee579ec323e274bc3a1a

SHA1
1373f7ffa5378211d55ad0bf2f84b05497334f9d

SHA256
8ac57c0cb3ac68857a225d50e38180232b40d5dd5788f859852000734dc3f802

SHA512
a645827a8a4de4bca1e3a295135631f792d00ce294b66b53213ff713f96419ed509a98fbfe3551bf645deea413cfb113b848b4b0228c710c73cc76d62e8daf02

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
347KB

MD5
ae705ee20ee3b1186cf813720c794800

SHA1
f4c09f6bdedd822174e80181f888735881b841e9

SHA256
50a2df853b486891dbabd0c6a8273106e796912f17b36b49eebe81f99b6f7c78

SHA512
782233485b8869859710751edef8f39bc50ac066c6fb1d9f89e2a23ea67720fe46dff60916d11146991f586c46d0efe4a56c7def23f3c3e35c9e006441810215

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
347KB

MD5
0e9cdc3d9e0d0978d1dbbe87d4708f8e

SHA1
0af266ed0f1428c21d7170b095f0ac3de0a6f3c9

SHA256
5b2710f1c14caf5dbde87e0e5143a4a31c1af616bec30537de151c38832ebf45

SHA512
a05a0887a6c23cba4ec40b4215a9c0cc1e0559f03ce2e825978e5337ba4090dc8b6ac119a7dd9c8e4e371b15420d1771400cb3e4b7b5f2e3e775ca9d20aa7c7a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
347KB

MD5
75cab026569b83bbc4ccde515976361c

SHA1
d245b4478a07b2304ccf084ae755fb461303a723

SHA256
e8ab2ee36775ef94b0a1d3e2379721c875d5b9be5f9f8cba6565f63e429a1be1

SHA512
e2718d75def7b9a61643fa0ed2081ee3d0c48da2488e903c9b91eae7b0ed4c7f04a3207f60f3470d9749add313744526f7c8982cf07884a1037aaa9a5209184d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
347KB

MD5
6fe997c0cc2ed358ec3d88ee7cf93119

SHA1
c76f6b70bf260305161ecfe773586222e4787211

SHA256
bac5aa5b020b106cf5dfc43ad801e3631e88dba8b1ff6afd0008b25b2d28a472

SHA512
c6e0c9f629cbbc2ae9da4d1a53c0879a88d181aaaa189b0bc7f4430cffdcafe161c9f48a505ac05bc34d73b10d2ad2c2b1c6d0278d22dc7e121ba550193f5135

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
347KB

MD5
85c1339455dcb25995e7109ce8b39228

SHA1
130a1d9d4b828ba3c1d34a4e7dd0edf76dca7848

SHA256
3ee6cd691f81be6cf290c4122e109f92f8184370b966135ea9c0673461fd336a

SHA512
cd1d77fd3bd43bf95966e278630c248f58fde18330d2dd6bf70a6c8f2a2c28aebe09ec8659ff87504711c10b2b500dc614fa78e1c204a8b9517e16a2aa824787

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
347KB

MD5
17098f84b7ca79a2df84fb88dd7abf48

SHA1
e573fa20ca4e70a32a7d6c34b5155cfd10cdb092

SHA256
120a8932917cff0ef4c60b186bbfab7b9e0030edec21be03f328708f902ad68b

SHA512
4cb7dc3e3664b72b68711dc5e5ff199cfc9d5f8d176e94de8312ee0472d70b7915ab250a663ffa7d2f237f0df85b4c176d4d547e81ffe980c519c24415900ab0

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
347KB

MD5
60cd64baaa2929d1ae73b1ba24f135f4

SHA1
8d7d12b3616fb0328bc89a43bbf7ab1d34c6e90b

SHA256
a5ec205a1dd4fccf49a3a58b79fa60f57404123e729ebb13d0538f41b81cb2e6

SHA512
f07460a7f28b3e3deaaf31c587f878cf42ac9513a49dfcd684103e072ad46548d20362bc6f2613401ebf4a42053e89e19e257204fca9e7f54e26eafd4cc157eb

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
347KB

MD5
6735850075c6aa33dce597731ea5b940

SHA1
432d8e8b5623ea8756a409dadb9365023ceda1bb

SHA256
7cbb1171586a2ef7de41155c2d16b274b634038437926c1fc03202dd0be85525

SHA512
87b430af71726cb319bb6870ff87cb5a95d2cc30a0c1bb234476a6a94308913a16fefd96c28cd0728f006c8813ef1fcd45c37de798b4b887e389dbe47417cd04

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
347KB

MD5
4ecc5d08c5059af424710bce2c99112d

SHA1
d1f84e637e998988f53fd33ff8688a8e1018c0bf

SHA256
9c20a4e4b9217b58c9cdbc0e662a38936e144262c3a08247a41c306609288dd1

SHA512
0472990069b9e2d72e6a47293c9f99485a3c140538a5ea30310053f21e871a5b5a2fa0cd992e1f0fc50270fb27587515fa50e33c8cf7aa1e486be900d59ef210

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
347KB

MD5
0073659c610cb77333a9089557b66705

SHA1
6a4c27fae3f5d4fe068a5722b0493984040b7e06

SHA256
f9aa3434bbecb8c08ff02c973daf832f156dad9414057286515470ed54b72de1

SHA512
5674d8f5fd21664227d4f5adeacd93ab5377c4fbca5a2fbd1707a65c1fda65a0b1c2b28910a1daeb0c5358d003d0793133930e984e2ecc9373d393d8818fc5ed

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
347KB

MD5
500b2d79dfe7522b4ff4dcec59f4d0ad

SHA1
c2479f0edeb9c964b918801d10786ce1affdbbf1

SHA256
41c39312552f2478e74d9340aa89c4cab8fa7a9f8ddbba8f47abd275ea7817f6

SHA512
732368d0b353064b2ad212e6bd9c5225f83937b0b6c05a8b0c77c067767ca94e1e9e8e594fd49766fac7cc9cec2106bb7c69639461af2f6d7ae437ef68bb3d68

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
347KB

MD5
5df56e47dcfb531f0c2429ad3bc41a79

SHA1
df554e2c6ed9c6535f7bbc1fd0fac021296e3a6c

SHA256
0d40617a30889ac3b12a2f282f30d6268b07b5bc43df1c32d8da6b9995cefba6

SHA512
a48c75c50f4d722e90a640203ce2d3efe76f28f63900382d21d35c740a084afb026df1d7b70251c2b80c502bf5ace0465f65f504d8ab589a1ee0c5af1abd4c69

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
347KB

MD5
ab574962d3bdf61f2db3c13198eb9675

SHA1
6aec23d81c60d72c3727fa51a7e8869fcea3c4fb

SHA256
2f124bd6f939461dcaab3ec3bcd5451157f05589d0277fbaf7a89af870e57c0d

SHA512
b52f2ab910f4e021c2391082f8e6f689e9521b0eaf1d511acfc6fc0d56eab701f6e49dd1edf1b28c94133a8da154ec36982509d2ef54cfb50f95828383d5d725

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
347KB

MD5
8daac44676168280519c28b8ddee9a23

SHA1
0d215feb454733e902e507a5a9ede1f1a31a106b

SHA256
1443ec21b18a7dd87fe290a6e891e8ae93b9fb9e1d47d7c7a1246929a213d92f

SHA512
bd46220b8050c4f3d6035656c8f30767a13927909fd03ba6aa931b917195c5921f80fdd43d4fa69439244ad81e4f86202372ea801b11db22f542a73daf702f94

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
347KB

MD5
c51cd53c4e50a029b908df45c4b69a8e

SHA1
d3eddccb6389a625f28aea2678baf53c679e2f1e

SHA256
db96bb3a4eab0544d3a691657faf621e88fde388ec9c923eefcf923fa31d02cf

SHA512
830c3835c5c1acc359d6d2de6d262bf4bd783ee970f5e43a2639cf501af7cbe4c07d4b47357b66f7fa6d244b43124691941b72e65947e3205e393ae3c3e82e3d

Download Submit
C:\Windows\SysWOW64\Fmjkjk32.dll

Filesize
7KB

MD5
6276cf9b461f6b19e4f82f44353b1b77

SHA1
3482f7675362d0866c522788b2bf82529e470d58

SHA256
9369db1688820ee364fb14d5f15f3ee87e000bf1ec1212a53f7d5707d194a40c

SHA512
653c8e870015bb14c2013e903e09f83ccb0f7e10fe8c8997b444605b4e4b2685146fff309430b699ffd634c403817ed1421d628b2a0880b8310cfb3eab597583

Download Submit
memory/8-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/760-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1552-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1860-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3124-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3460-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3840-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5060-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads