a7d2a8aacde7ef4c62f77d60b640601035cce55e8c89cfc2e21a63a1fd23b17f

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ff3f835672225f3bc9d3843bbb45e0N.exe
Size

64KB
MD5

32ff3f835672225f3bc9d3843bbb45e0
SHA1

3d31b2c3dd8fa6b3065600796a4a339389798585
SHA256

a7d2a8aacde7ef4c62f77d60b640601035cce55e8c89cfc2e21a63a1fd23b17f
SHA512

5402e36a78929eba03be745261ff527dac52d3c3963a67fbce1c88d1428dce7a2476057a20877d948a92a449cf24ad94e2f3b207374b75ab269e7f19e848e320
SSDEEP

768:U4uGbCW4ukxJ7JfXtmTuNycVj7AYxGoavoNi3ps4H/1H54FYQtKA2kms8Y/ts/9V:FX7kPn9J7yDoNsps4ZWyQrPFW2iwTbW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	32ff3f835672225f3bc9d3843bbb45e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	32ff3f835672225f3bc9d3843bbb45e0N.exe

Executes dropped EXE 30 IoCs

pid	Process
1104	Cfmajipb.exe
2260	Cndikf32.exe
3936	Cabfga32.exe
3580	Chmndlge.exe
2640	Cjkjpgfi.exe
1628	Caebma32.exe
1080	Ceqnmpfo.exe
3160	Cfbkeh32.exe
2480	Cnicfe32.exe
2108	Cagobalc.exe
3008	Cfdhkhjj.exe
3624	Cajlhqjp.exe
4800	Cdhhdlid.exe
1960	Cffdpghg.exe
764	Cjbpaf32.exe
4256	Cegdnopg.exe
4532	Dhfajjoj.exe
1812	Dmcibama.exe
2920	Ddmaok32.exe
2540	Dobfld32.exe
1108	Daqbip32.exe
4584	Ddonekbl.exe
3004	Dhkjej32.exe
936	Dfnjafap.exe
644	Daconoae.exe
4304	Dkkcge32.exe
3436	Dmjocp32.exe
556	Dddhpjof.exe
4896	Dknpmdfc.exe
1860	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	32ff3f835672225f3bc9d3843bbb45e0N.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	1860	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32ff3f835672225f3bc9d3843bbb45e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	32ff3f835672225f3bc9d3843bbb45e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	32ff3f835672225f3bc9d3843bbb45e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	32ff3f835672225f3bc9d3843bbb45e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	32ff3f835672225f3bc9d3843bbb45e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1104	2928	32ff3f835672225f3bc9d3843bbb45e0N.exe	84
PID 2928 wrote to memory of 1104	2928	32ff3f835672225f3bc9d3843bbb45e0N.exe	84
PID 2928 wrote to memory of 1104	2928	32ff3f835672225f3bc9d3843bbb45e0N.exe	84
PID 1104 wrote to memory of 2260	1104	Cfmajipb.exe	85
PID 1104 wrote to memory of 2260	1104	Cfmajipb.exe	85
PID 1104 wrote to memory of 2260	1104	Cfmajipb.exe	85
PID 2260 wrote to memory of 3936	2260	Cndikf32.exe	86
PID 2260 wrote to memory of 3936	2260	Cndikf32.exe	86
PID 2260 wrote to memory of 3936	2260	Cndikf32.exe	86
PID 3936 wrote to memory of 3580	3936	Cabfga32.exe	87
PID 3936 wrote to memory of 3580	3936	Cabfga32.exe	87
PID 3936 wrote to memory of 3580	3936	Cabfga32.exe	87
PID 3580 wrote to memory of 2640	3580	Chmndlge.exe	88
PID 3580 wrote to memory of 2640	3580	Chmndlge.exe	88
PID 3580 wrote to memory of 2640	3580	Chmndlge.exe	88
PID 2640 wrote to memory of 1628	2640	Cjkjpgfi.exe	89
PID 2640 wrote to memory of 1628	2640	Cjkjpgfi.exe	89
PID 2640 wrote to memory of 1628	2640	Cjkjpgfi.exe	89
PID 1628 wrote to memory of 1080	1628	Caebma32.exe	90
PID 1628 wrote to memory of 1080	1628	Caebma32.exe	90
PID 1628 wrote to memory of 1080	1628	Caebma32.exe	90
PID 1080 wrote to memory of 3160	1080	Ceqnmpfo.exe	91
PID 1080 wrote to memory of 3160	1080	Ceqnmpfo.exe	91
PID 1080 wrote to memory of 3160	1080	Ceqnmpfo.exe	91
PID 3160 wrote to memory of 2480	3160	Cfbkeh32.exe	92
PID 3160 wrote to memory of 2480	3160	Cfbkeh32.exe	92
PID 3160 wrote to memory of 2480	3160	Cfbkeh32.exe	92
PID 2480 wrote to memory of 2108	2480	Cnicfe32.exe	94
PID 2480 wrote to memory of 2108	2480	Cnicfe32.exe	94
PID 2480 wrote to memory of 2108	2480	Cnicfe32.exe	94
PID 2108 wrote to memory of 3008	2108	Cagobalc.exe	95
PID 2108 wrote to memory of 3008	2108	Cagobalc.exe	95
PID 2108 wrote to memory of 3008	2108	Cagobalc.exe	95
PID 3008 wrote to memory of 3624	3008	Cfdhkhjj.exe	96
PID 3008 wrote to memory of 3624	3008	Cfdhkhjj.exe	96
PID 3008 wrote to memory of 3624	3008	Cfdhkhjj.exe	96
PID 3624 wrote to memory of 4800	3624	Cajlhqjp.exe	97
PID 3624 wrote to memory of 4800	3624	Cajlhqjp.exe	97
PID 3624 wrote to memory of 4800	3624	Cajlhqjp.exe	97
PID 4800 wrote to memory of 1960	4800	Cdhhdlid.exe	99
PID 4800 wrote to memory of 1960	4800	Cdhhdlid.exe	99
PID 4800 wrote to memory of 1960	4800	Cdhhdlid.exe	99
PID 1960 wrote to memory of 764	1960	Cffdpghg.exe	100
PID 1960 wrote to memory of 764	1960	Cffdpghg.exe	100
PID 1960 wrote to memory of 764	1960	Cffdpghg.exe	100
PID 764 wrote to memory of 4256	764	Cjbpaf32.exe	101
PID 764 wrote to memory of 4256	764	Cjbpaf32.exe	101
PID 764 wrote to memory of 4256	764	Cjbpaf32.exe	101
PID 4256 wrote to memory of 4532	4256	Cegdnopg.exe	102
PID 4256 wrote to memory of 4532	4256	Cegdnopg.exe	102
PID 4256 wrote to memory of 4532	4256	Cegdnopg.exe	102
PID 4532 wrote to memory of 1812	4532	Dhfajjoj.exe	104
PID 4532 wrote to memory of 1812	4532	Dhfajjoj.exe	104
PID 4532 wrote to memory of 1812	4532	Dhfajjoj.exe	104
PID 1812 wrote to memory of 2920	1812	Dmcibama.exe	105
PID 1812 wrote to memory of 2920	1812	Dmcibama.exe	105
PID 1812 wrote to memory of 2920	1812	Dmcibama.exe	105
PID 2920 wrote to memory of 2540	2920	Ddmaok32.exe	106
PID 2920 wrote to memory of 2540	2920	Ddmaok32.exe	106
PID 2920 wrote to memory of 2540	2920	Ddmaok32.exe	106
PID 2540 wrote to memory of 1108	2540	Dobfld32.exe	107
PID 2540 wrote to memory of 1108	2540	Dobfld32.exe	107
PID 2540 wrote to memory of 1108	2540	Dobfld32.exe	107
PID 1108 wrote to memory of 4584	1108	Daqbip32.exe	108

C:\Users\Admin\AppData\Local\Temp\32ff3f835672225f3bc9d3843bbb45e0N.exe
"C:\Users\Admin\AppData\Local\Temp\32ff3f835672225f3bc9d3843bbb45e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 396
        32⤵
        Program crash
        
        PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
cb9b9996ba9041c9604dfe93776f136e

SHA1
09b20ecd1a414ef85ff6c2e36207c2a63ec1d37f

SHA256
bf689c6ea8965e1461159fedf26e69305c7dd072079127f26413b73812f45c81

SHA512
bc373953dfc4ecb45afca87537a149825cdc8aae700cfb4c5cd92ed9593676dde3ecedecb23945c642b914abe38f147a3411d8d33168a03504a079572989f64e

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
4a50fca7f08f21eab1201737531d289f

SHA1
cfe0b1e7bedef18b781e3ea77fbd1ae954f54a4f

SHA256
cf4e693aa6eea1955c14519664e67db85a9861151979f18cd10679b1a77eff40

SHA512
508e939f9f0d627d1b2b757bead402e4ed6f118d223a207d93529f13aa1790ca71dc9d7f160c5244d8198eba518e7b132871effd7c767ccb11254669e9a193f9

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
64KB

MD5
25fd3175fc293d4d79bcee80ae8cb7b5

SHA1
ccd003069eea83958705156dc307ba4578da23c2

SHA256
76d08b4e2f74bb36a759085f9d4c38efa56441025af7cd0cdba5d7984a90f19f

SHA512
40059c6c6b73022af5afc65be4d21e66ecd35d011cc2669bcf84718aafbbd7560879b8ef52d88e01976fca1c1f48a55491ab85b2fe1cc8e1860a1bbbe3d308dd

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
1cf763bbc71e8ddf8e4f8c0108ed233c

SHA1
90abb1f64c0e295afa4376645e63beb335608dc2

SHA256
9282d8755a1f12ee15c07d59e97befb6d8c85f673c11bcda8e46c89e281b6a3e

SHA512
8e6cac8570a39e85e15c2fe9acc2da79d8f372c2fbc385e04cb557bca8403aaa7230c52721115f424743366b1db53569af169fcd194a76487d6c2ad281ac026a

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
180a6987e5d367b34c92b35d9f95a93f

SHA1
60c022758cc83bab0e8d4a7144e7c42a4fe5ea8e

SHA256
29af4c924587cce19518af2f0f45f7e3987f60cb22615b0255c056018f593965

SHA512
5cc2c0c37c6be324d7995ee0b2949a509aa0c4c38fdbbc5db1c8098f55f83e4233a3a822ccc87e8da4ce296045ea69f10367b306fb9c57be650032a557bc892e

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
1f335fa3619354d5d10803dedabcfca2

SHA1
b9ceeef110218cc631b9ddcaee601724655b9948

SHA256
3793aef074c473ae8c608161a88b8b63c8ae72445146f0e9db44f6fd06620bd0

SHA512
1f5fde2aed8ca3468fd87359258412334d45e78095ef3ace1b33d3045fd6100a7be5e4f6625132dfa7734b4f23237095a7ea79035e5b5a856fb1be565cdff9cc

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
64KB

MD5
2e015d05df60e5eaad71756cfc6b4f9c

SHA1
287c9e9375e70cce1a38cbcb32bd63bc322f40d2

SHA256
1aba7ac1b7882279c89954a09df20f95dc53a104aed98217d355d71e8aec50a9

SHA512
36916164615b5ec73e32355a7deef3443ef3a9ce866e6d567ca34545715039fcc24508871f90e827793d76759a1d721553f9ef155521998194558db648b7ba0f

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
39f0b20739d60858dacecab9aa246252

SHA1
a5eb77722b42ab7a6b10669b9f95d98d22a7942d

SHA256
807500e3ed99e239e851583c142b0786e73fba0500a9258d176106965c94b50c

SHA512
38274fc1cc649b521c8bd9ed1a60ede2b60c63039b06e354263a8765bbfef8f5f3627b6658c9dafd71df836d617ff06f74881973e7948ffdd59911712d077bd3

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
5fd4f7385453ac784cc63a498dc29cf3

SHA1
20fa5701343e37313c384f4c8cdc3f53a73025d2

SHA256
1c584ea4e395116126f67159e5af02b6948967feb5c46357a4ed8c3d7296f067

SHA512
8bba52e377eaf2fafe990b71c397387ebf348869ae402ccb7d94d8cfcae9b4b172d1e1b99175d7b42278e683152ed67387ecd37a717132238faad901d8d07d77

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
b1578e255acd14989db6fd12844cab6c

SHA1
f81dea04231cb54dfe396638eca3423b646d8440

SHA256
fb9b5e54ffa23df313cc4df4618d371fb9a7886e01873867889f5ee9242b2f20

SHA512
779a66886df3afb4ea6f23029555d2fc04e05c02f96c19268b0f7ecf884e1cba6636eb7d31c6c6710f232b8e6a2d8f0b33ebce6258ce6d1cf4fec1f93a6e8466

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
06f8dc863233cefa31575396dd0bd0e4

SHA1
36596960c602a7c709d3a67627763f28256034c4

SHA256
0410ebbf09757a3e5b1b0170c4355973340dafce608c68f043d4f1f62533e116

SHA512
7d814a8ae439e9b1e395e567b6d1cfda928c8c737d411c471e090caeb90b2a980f702778e7c310d38ecac9dbbd2cb48a3c3d881eed7a4227130849107bb64995

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
f11d39792ee7b6e11cf6c8b88b2cb39d

SHA1
265a8d38d6697030b66b1fb76e3d5a9a25a2b6bb

SHA256
f663a8e50394e7866dfc89210843a90fec4b7c59966de9516a2ae679edaad84c

SHA512
dc795fc84815500cde655c3d27cc6a38ce636b3694233b6a1b959813aad56d0f883b1731fac9b2c6e2ed95c3d3f37daca840b45a101c21eaca0782bb4f4f947f

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
863c3db9c218c3e98e252e6d36b76a7a

SHA1
759d1a0c638399838dc502f0e986efbea28d0742

SHA256
732043448244a5c4430915828e48b81f58ccbf8be480fc08735b3fec07102f1a

SHA512
0903768bc13b837aace26e20743347cca80d42482b00a541aa6ec813e453363e3b08176e5a7d5f80638eb4b60a5a40e0eddfd4a4d16f89106608de3209b97101

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
c90ae5c063e6ea990dbfa8c7a8262b16

SHA1
cb90a5f237cba8bfbdada755f8f905ea120dd61d

SHA256
358f1bdd9c62719f215ded9b36e24e96f584d16bd5d07ba881799c73eab34ea6

SHA512
8a5652fe4f324fac87800c47080ef94c6096ada206216c4c1fb94a6700d38b4a5050e1f8cc715c3c63c878c9e11f243f370adb9f816791b0f211bd86b51c00d0

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
64KB

MD5
08a80884734b20dffc373c32b27b11c3

SHA1
94c741d8b7979dc27de786fac67d3ef6a34c1573

SHA256
418c62277b1adc70bfe019ce5d3ecada94bd91ede6940c296775ead87bf0348a

SHA512
5228997252c1a9e5c17d9aaf3b30ac0a94ea2a6360e43ede149e5aa2989160f812c4c15263f1795e9679ecb91cd196815d6747452b51bd3f511fc16742ed35af

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
64KB

MD5
466422b064a9a3438c22f5c7908bb4aa

SHA1
a5c38b94f0df77f7528b12580cab9b667e40ced8

SHA256
d7c2d5fe1a56e5df3b49a0aa1e39a7778902fa87f3ebf7d9e3c9f4f722d92256

SHA512
a62a804bfc06a07879d9a501c546378d431eab91a860ed17aacf4ec3f96e37458fe4a64dc89e4bf32210e7de07999a2862d841db733d933bffad5a58bc0577d8

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
a4aacdb855f0e31c174a33ce6a10aa47

SHA1
f87e5c05d7a4740cde4373c41103767ae656b643

SHA256
cc052b7123976fa624b3c7dce4f3bbbf519c9737e2f7a34a993189cd4387fb5c

SHA512
b8bcc81e49d1ff3a0f2ae53d7da78e6bd9d32bb00078d0388afec3262a26a7c3e6c9aa742b1b524f63635fdfca61aa444cf830caf5b4a83ad5d0c2422598e4ca

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
7d520a9325371c42f0e023547a91b334

SHA1
e9dfb283b0ba1a688195c6da4774f6184d7afe37

SHA256
88b3f781830d5344ddd219cc236c348b4c36fb008195d08f8e5577ecba70d2a4

SHA512
d3879bfa0b7b34fc730af91ff721894c8f738f713577d2e0b81b5e397f73d5a1206b7af312fb1cd3f92b31cd2d97471c557d4171fb671db8db5c28e96ab3498e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
64KB

MD5
771c9ce5f52a5d5428437f32c463fa19

SHA1
700e2af711ddc41cd36ae4f1f419ccb77d8cb6be

SHA256
c8fc2a4da56a26f116247c518fc1e61f2631abaa67698cd0c34116993d484151

SHA512
2c5015c7e9f051b8d73c706c492e59c7e99054abc44c2f04c165c4b6d86eeae061ed7146655f4749ab87fafeb718eb8e09bcc46524dc0aa5c9910ef03ea59861

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
a91ea8b69394b691ad14050f3a914d8d

SHA1
86e8695e1212e059e87f75862eb75f3654d0e2ec

SHA256
a30ef3a0782f506307c1515a46fc850eff89410f8a6294ee09ad4675b71e5fc7

SHA512
1e99f6b139517694083577a8ef4976f9335245864506e47d3db2482a9a967a1dd74654d00350919a589181eaaf3696eb414ff4b2e660969682f8bd05e5157a65

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
4b159f552e5d6394760a8cdc077c34ce

SHA1
2e4e12674192a17923059e60988ac94cc4a5245b

SHA256
bd98d37e24e571597e0c8debe66f0a3ea5dbf073f061497ae6ce46fbc00b6fd5

SHA512
60c52a8241ea813a7445144d29ed5eb7511dd2a945edda6e2c187d03a7223aff1d505be41fae19459c2c00147032a3fd24cfb6a8c99b6f0f18a5676f08d0b027

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
bca51c5a78c79e64e1c04a2a5b056f08

SHA1
d20ce2ef7cd12339d0c72d603ead94e5cb4edd77

SHA256
e049b916da8a2f3c711fb04cb18885d8b7da14b18625a05eb5f23922f94ddf3d

SHA512
cd4f0cf5cdc0a47099271e8bfbb493c7bf4984d4a33c104e476fc9d8f76022fc0821ce68dec60d8d0a98de9d0536d8f0c6bfe1d205a3b936b177c283053232ad

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
fc4b64caa86fdcd104c6403bfed1b0c7

SHA1
f2e07b4974ad2c0d790d8cb70ba6d059bc77e910

SHA256
58b9c69d4acf075c4c5bf7c51b2f7a0fe729a920f2bf1d5916a86f2e436a09f6

SHA512
550de07f46a9d3082f5af608026c374cfdba857029e94a52cea8ee2bc28067c483e03625295b176d9109523ba92fb5dc14b204def28b483e13d6f78390560266

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
23425f21bdf6da055645ac196f82f6c2

SHA1
8ea30d3413df3fe776256883e8719c31e61e6a96

SHA256
c1f6e0c114a6d22169fdf008272867d221a1011b1bceae3b94ff2b33b997b43f

SHA512
c48245f7e56b165f08d4b54f009000587833e990640efec22b9865fa6590b209f9a83f134f296440b6702e2e9197397cc6151f689b345bd081af17c17d8ab649

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
64KB

MD5
5f8c6b00c6f6c9c62071152ffa7a81d9

SHA1
9720254ff184bdcb5a38773db13fea78ffba77e5

SHA256
14df2dc1ad65ac05d5cfe65a47f0ebea0ed3af838491dec7d56a0b498311bdef

SHA512
db870176101550f5b5085bb02b5c5c6aa5ab8d392bc3adf4003c2a0c9a27b6f753f552c8a020f9df0e342bce61298eacf9b4aee7a6ff36dd88c5fe27a256c887

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
ae1e9a059fadf40231ad501d97ec9c73

SHA1
3b733d1583d540649bfb617d55045e12549b05e4

SHA256
bfd7a63da196cad5dd4065adf4d61a6934d1ab047c4d270f1654e50428a51aa1

SHA512
6d0d9b684313e9f78101b84d2d71872ef414855b14e3a52266295bc7791abb47761ccec37029342b1e6a8620c0404c53c51806a40a6a5224e5331ca5e8f75bc4

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
edef8146449aebb66d4b0896287e2489

SHA1
e72818081777f0ff857b2e8ed8a62005e1decce1

SHA256
304cbd0e72f651a36686024dcbfb7ab140d86d1eba945f0ee0a3055c8e410b73

SHA512
98a0a5f85d4b59067e615b0e274cecfca475c14f6f09586d4ca7436a55611937b55fbbc6dbaeb1824c284a90314c96365fae7f87253dfab3e5d46220a08d8a31

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
8ec98192165afbc4841f771a7cf3f303

SHA1
e09d9242d8075a77caaedc9c88c7ffcb3549eaec

SHA256
c0903c801b258d19fc08a5b71901f097ad6f9a9eb84cfe4aaaf44bd58e30afa8

SHA512
3f0739f516db8b41f1e0f51356a70a033397bca641f8ae7a4ecf3c90ced9569c23d2c86733c781721b50225a5288bc105a4b033ac398fa6c6ab3340d497be9cf

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
fd2f12030a1bcd4a62958e78e8ce78ab

SHA1
dad59cf0608e8e3c68d9fadc336acc08825c3ccf

SHA256
b6f843f6afdd651dea66979f4bcf24722c1853fc2c0fc43edf3d5f8ea616585a

SHA512
2df78df3940505d4202afa5ee23eab5fc0a62aabe6cc4733dc34c91a5a6a7375b1f900e365c246058584af27e23dbee908100d70fc5f7b1ad91ac8f2a423966f

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
49cb2e91602750a6b08edd40df81d085

SHA1
e0ecd376da4cc60ba63b9b8e51a5f60dc4e6700e

SHA256
6d02639c5e75cd012073ae90e118529575d3a262fd135782af4edb75a4e11cbd

SHA512
2435014455f6f71a96c7304d82db3e0c8dbc5dc45e281399af11d1f46fe926d84cd7c5e3665c5e3b2eee51802fef77be33cccfe2742c6ae6dcf90c9022c0f75f

Download Submit
memory/556-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/556-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/644-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/644-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/764-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/764-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/936-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/936-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1080-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1080-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1108-270-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1108-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-262-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2260-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2260-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2540-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2540-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2640-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2640-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2928-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2928-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3004-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3004-198-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3160-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3160-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3436-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3436-265-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3624-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3624-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3936-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3936-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4256-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4256-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4304-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4304-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4584-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4584-271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4800-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4800-112-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4896-263-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4896-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads