e050c03e150f0a41a8382fd23ff15219bda4f666324af691de6e18cec06d6624

Analysis

max time kernel
104s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 04:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad6f1d6325560ac03b63dc7344142260N.exe
Size

64KB
MD5

ad6f1d6325560ac03b63dc7344142260
SHA1

94da4a98f0105883282ebacc81be60584dc3b064
SHA256

e050c03e150f0a41a8382fd23ff15219bda4f666324af691de6e18cec06d6624
SHA512

6a396f31cd58b5ea2b3dc79f42d52c22c9428c3d25d0418a5c925a50e8dbc6eb40ec062180c99677f13a588d387f356dc3912aafa219165b1cb6c3534f4eaf7b
SSDEEP

1536:WJvxZiJwR74Tcr99R80c52Ll7LIS3hGMcVNtBqq3:K+wNzRGWl7LISpcVAs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ad6f1d6325560ac03b63dc7344142260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ad6f1d6325560ac03b63dc7344142260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe

Executes dropped EXE 31 IoCs

pid	Process
3124	Cenahpha.exe
3436	Chmndlge.exe
5004	Cfpnph32.exe
3704	Cnffqf32.exe
4296	Caebma32.exe
4452	Cfbkeh32.exe
5072	Cmlcbbcj.exe
4492	Ceckcp32.exe
3220	Chagok32.exe
208	Cjpckf32.exe
4132	Cmnpgb32.exe
3008	Ceehho32.exe
2404	Chcddk32.exe
4596	Cnnlaehj.exe
3212	Cegdnopg.exe
4228	Dhfajjoj.exe
4780	Djdmffnn.exe
4256	Dejacond.exe
4280	Dhhnpjmh.exe
2952	Djgjlelk.exe
3588	Daqbip32.exe
632	Ddonekbl.exe
3444	Dfnjafap.exe
2680	Dodbbdbb.exe
2704	Daconoae.exe
1048	Dhmgki32.exe
4300	Dogogcpo.exe
2592	Daekdooc.exe
1312	Dddhpjof.exe
2772	Dgbdlf32.exe
4700	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	ad6f1d6325560ac03b63dc7344142260N.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	ad6f1d6325560ac03b63dc7344142260N.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
432	4700	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad6f1d6325560ac03b63dc7344142260N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	ad6f1d6325560ac03b63dc7344142260N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ad6f1d6325560ac03b63dc7344142260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ad6f1d6325560ac03b63dc7344142260N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ad6f1d6325560ac03b63dc7344142260N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3124	2388	ad6f1d6325560ac03b63dc7344142260N.exe	84
PID 2388 wrote to memory of 3124	2388	ad6f1d6325560ac03b63dc7344142260N.exe	84
PID 2388 wrote to memory of 3124	2388	ad6f1d6325560ac03b63dc7344142260N.exe	84
PID 3124 wrote to memory of 3436	3124	Cenahpha.exe	85
PID 3124 wrote to memory of 3436	3124	Cenahpha.exe	85
PID 3124 wrote to memory of 3436	3124	Cenahpha.exe	85
PID 3436 wrote to memory of 5004	3436	Chmndlge.exe	86
PID 3436 wrote to memory of 5004	3436	Chmndlge.exe	86
PID 3436 wrote to memory of 5004	3436	Chmndlge.exe	86
PID 5004 wrote to memory of 3704	5004	Cfpnph32.exe	87
PID 5004 wrote to memory of 3704	5004	Cfpnph32.exe	87
PID 5004 wrote to memory of 3704	5004	Cfpnph32.exe	87
PID 3704 wrote to memory of 4296	3704	Cnffqf32.exe	88
PID 3704 wrote to memory of 4296	3704	Cnffqf32.exe	88
PID 3704 wrote to memory of 4296	3704	Cnffqf32.exe	88
PID 4296 wrote to memory of 4452	4296	Caebma32.exe	89
PID 4296 wrote to memory of 4452	4296	Caebma32.exe	89
PID 4296 wrote to memory of 4452	4296	Caebma32.exe	89
PID 4452 wrote to memory of 5072	4452	Cfbkeh32.exe	90
PID 4452 wrote to memory of 5072	4452	Cfbkeh32.exe	90
PID 4452 wrote to memory of 5072	4452	Cfbkeh32.exe	90
PID 5072 wrote to memory of 4492	5072	Cmlcbbcj.exe	91
PID 5072 wrote to memory of 4492	5072	Cmlcbbcj.exe	91
PID 5072 wrote to memory of 4492	5072	Cmlcbbcj.exe	91
PID 4492 wrote to memory of 3220	4492	Ceckcp32.exe	92
PID 4492 wrote to memory of 3220	4492	Ceckcp32.exe	92
PID 4492 wrote to memory of 3220	4492	Ceckcp32.exe	92
PID 3220 wrote to memory of 208	3220	Chagok32.exe	94
PID 3220 wrote to memory of 208	3220	Chagok32.exe	94
PID 3220 wrote to memory of 208	3220	Chagok32.exe	94
PID 208 wrote to memory of 4132	208	Cjpckf32.exe	95
PID 208 wrote to memory of 4132	208	Cjpckf32.exe	95
PID 208 wrote to memory of 4132	208	Cjpckf32.exe	95
PID 4132 wrote to memory of 3008	4132	Cmnpgb32.exe	96
PID 4132 wrote to memory of 3008	4132	Cmnpgb32.exe	96
PID 4132 wrote to memory of 3008	4132	Cmnpgb32.exe	96
PID 3008 wrote to memory of 2404	3008	Ceehho32.exe	97
PID 3008 wrote to memory of 2404	3008	Ceehho32.exe	97
PID 3008 wrote to memory of 2404	3008	Ceehho32.exe	97
PID 2404 wrote to memory of 4596	2404	Chcddk32.exe	98
PID 2404 wrote to memory of 4596	2404	Chcddk32.exe	98
PID 2404 wrote to memory of 4596	2404	Chcddk32.exe	98
PID 4596 wrote to memory of 3212	4596	Cnnlaehj.exe	99
PID 4596 wrote to memory of 3212	4596	Cnnlaehj.exe	99
PID 4596 wrote to memory of 3212	4596	Cnnlaehj.exe	99
PID 3212 wrote to memory of 4228	3212	Cegdnopg.exe	100
PID 3212 wrote to memory of 4228	3212	Cegdnopg.exe	100
PID 3212 wrote to memory of 4228	3212	Cegdnopg.exe	100
PID 4228 wrote to memory of 4780	4228	Dhfajjoj.exe	101
PID 4228 wrote to memory of 4780	4228	Dhfajjoj.exe	101
PID 4228 wrote to memory of 4780	4228	Dhfajjoj.exe	101
PID 4780 wrote to memory of 4256	4780	Djdmffnn.exe	102
PID 4780 wrote to memory of 4256	4780	Djdmffnn.exe	102
PID 4780 wrote to memory of 4256	4780	Djdmffnn.exe	102
PID 4256 wrote to memory of 4280	4256	Dejacond.exe	104
PID 4256 wrote to memory of 4280	4256	Dejacond.exe	104
PID 4256 wrote to memory of 4280	4256	Dejacond.exe	104
PID 4280 wrote to memory of 2952	4280	Dhhnpjmh.exe	105
PID 4280 wrote to memory of 2952	4280	Dhhnpjmh.exe	105
PID 4280 wrote to memory of 2952	4280	Dhhnpjmh.exe	105
PID 2952 wrote to memory of 3588	2952	Djgjlelk.exe	106
PID 2952 wrote to memory of 3588	2952	Djgjlelk.exe	106
PID 2952 wrote to memory of 3588	2952	Djgjlelk.exe	106
PID 3588 wrote to memory of 632	3588	Daqbip32.exe	107

C:\Users\Admin\AppData\Local\Temp\ad6f1d6325560ac03b63dc7344142260N.exe
"C:\Users\Admin\AppData\Local\Temp\ad6f1d6325560ac03b63dc7344142260N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\Cenahpha.exe
  C:\Windows\system32\Cenahpha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\Chmndlge.exe
    C:\Windows\system32\Chmndlge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\Cfpnph32.exe
      C:\Windows\system32\Cfpnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 420
        33⤵
        Program crash
        
        PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4700 -ip 4700
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
a44006e282a87d5826abc9375f34c187

SHA1
50752bcc4b17eb61595f4fc9ac2b3c6fcd765aa9

SHA256
c2f623e5eadac4ceef44cc6da42310bb340a1effd5528a0b0d283b535a21f41c

SHA512
04e6be3353a2e1f113b1c2234b7bab6190e30ffd653eef2c5fc0fe0df981d4edf40a16a9652ef877584a5cb58687ea6813075c3a401d3cb52edd54687cfdd8a7

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
983a5d61d5268a2f5a8e28b12cb129f5

SHA1
97e7bf9e65281a84d158f280300d67c13b99986d

SHA256
3d79a65f31949847f164b0030724cd6c1311981991b575b9e5c2491da464240d

SHA512
bd02851accf29f67f562733158a9e9fda89915c7982dfd09688390666f216a5d075479b6e92b89d9d1fd17ae0d73dcffeb2ec88542b4d93fabd6a79b3428c04e

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
114f2ca0773d650410a4ffb722a4a562

SHA1
ac90f26d0b99729eb2834fde7e2b9600d11018e4

SHA256
514cfe4785004abec9f47fdbe5bdf504d858542d972b2d803ae150f3a131949d

SHA512
18deb6a7b62f9bf6cce2c4390407c4b1b810ac4251abb53c3d63e55f84643e52599bc67d24e3c92c202888e4bc773a2d9106a0ec7b5fe9ba1958fd71ce52d61f

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
ed37f003b59b80a49c1fa7d33ef257a0

SHA1
9d698e4841ce06d7fc97900a2acf46d0d4ec4e35

SHA256
9fd27b0097784f7099c5ff65bf089812b1468a179ed0b07ff63be82cc9bbe240

SHA512
58e9e4c1959b1dfd0783bead96b060f1997837d10d94b79a9e037c45bf6fc186812432b8f0b2c5476e517571d85e725f1242055ed14c3ab740550a84087cc56a

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
64KB

MD5
cb1eccfa8e71d70b800840e3bbd67eb7

SHA1
3016aa7110e7c385d1bb73a576f5b3269176bea4

SHA256
463e2bde7581c7747f806262af6e157acb830da571c2bdc2754b9b0df173ee3d

SHA512
ceb49568228a17b0463f0d8a33e5b067a553e266fc76e2202ec1e7a540f45c74551cce5f2eab4aa5fd352501e13eedaead04f56043581b9bc86f255483febab3

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
2ce00fcbbbef3c90516700d14b87edf6

SHA1
3827ae579357a24ecd44c20229240777f0ab18c6

SHA256
5e8da9184c50ef464c42aa27ee95a53bf01bfdebb0b9740c8d92c364a886945f

SHA512
8a9113d319cdcd4d4bd24aca3411db0951ff6ff03a6fd2276e77c2981932400684c28d8f3e9a6e754198a4a43a3da25e1a9e91fe1d590d6dd64764b0d529cb59

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
9d0ce785883606574afc8a681b8f9c78

SHA1
69fa736492a165fdcd182b06e7476300651c0f3b

SHA256
9ff97d98c4b4cab91c428d2a58b78316d75e2a234dbd259dfd2ce05a1c8c4585

SHA512
230ac644f0322b32908c3cb528be6ba81a072367457a6ad67afa43b7c77b9f5f722b84a27f742e4e4483560abca908116dca520bace2daa2fa9f15b9960d48b5

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
ff09f28eebcdf82b50f940ee90dbe1e8

SHA1
ba5a1abe4d1bbd3294d880a06bc1b96bf0b14584

SHA256
f67c9ed8c5823417387712585b128f677007bd89833bea5c2e8737546dad0ad1

SHA512
ece22881b3e174447cbbb73ebf3179f47dab3087b64c68c3b6fc691c726ee45f8a0b47020acdd0f5e7fc4c3691bed4df4b6f91816488f13b34488f316bb073dd

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
6c6e14ad78143feacbb4ca1d76ccd57a

SHA1
b31d6a2f839a0ebad953b5464bae35ee5b813d8b

SHA256
c71662cc7578dad5dc1bbf0f865985b84f07924ff9735534a25bbb5442954371

SHA512
c35dd67b32bb6fad637bab604b5db19920f7218374ecf1c7cda9cc34fa15df8b4e82d1f229bf4d97abc1cbd5e822025416503a95aecd66e67387a358b9022596

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
dbedede00abdaabbe8167f50c443da9d

SHA1
ea13bfb1b860a0dd88d2bc52f5d41de346707f74

SHA256
d7ebaf720fd2ae417eca76f73190aededccc06329c3e018feefc039e88d317af

SHA512
6cda3edec8e858caee16c839f661b483789c54f632d2cb500316ce932395e478721109d10598eea511c7c64ec046aaf4f9c25feab18a1a12ee244c3b9762df5e

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
bed85e8f8c84aa71a45dbac069a7d4e3

SHA1
05642ac0212c57300adfa593dbbcc476ec61dc52

SHA256
74ad8725e8bcb2bde30e47cc73fe38d1f8481ab2f3536276d8e9f2f7e76038cf

SHA512
06d870c9c771b786b3e16e8b4fac9e6bff4f11727aa4188b73622ea2af11cc583d517e42d655b52dda308d89d7757aa92f4c295b94023cebbb71625dfa6e2a6f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
253b17fe683cd5b61758318c76e830cc

SHA1
bb953f75fb6c1f1310a736de5fa9974c33b485c1

SHA256
9824c5a135a6843b5ef84ea44444a64209a2f13ef415104ba48c4178aff130a8

SHA512
6565d3975a62e0d724a89813dee2938743df74953e10546c60a75d2a3680eb3b2fbfaa9b1649bc2f497e98fff2efdd566725277106754fe659da093c37840cf8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
caf0ec604cd08906028b130739059a16

SHA1
b4f11223b8cec2d55f51ae0a92f0ec36a6f8510e

SHA256
f85df3a28fe1b802fce1bbc63fdf18a3d9a687838465966d9766c0544388e97b

SHA512
c5523bc6161d4026aafabc1d1a3c55706b94c16970b5b6d8fe481eb7098868c6396851fa52b94013e9f65c1c92cac323b36b99556ff0452482530d5a621d2e86

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
1b3f734404bb37632035aedca78c7a5d

SHA1
2dbf68f7c53a42a9df8634be7679887536f55c53

SHA256
4958a136dbc6fd48def7a75058d128a0c058f49781d9a9691a9e884bc0c7f736

SHA512
805c111b1203bf13668348cc1383a2331d2a3c14ec8f2274bdf609ddd817a838b2a9edfd3aedbe44dd183f6e5a0c64fe3c1d64ce14eff9ca5765bd8f7024c8ba

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
032c943c1a679c1ab8e4b5142f822efe

SHA1
cad6de5a6a2f2c579466af1a80151675fe46c247

SHA256
988723ed0b2f559c4caac8fd378cd4f1ae2fe1255752911f923f0673ba34db02

SHA512
8ac2627ee8f3296ecd5357d12e239b4ca33c5adf79cd913f4ada6fd65cd739561beb86b8ca09bc0f47cb9b0ced2a0c621342c0bcac8b62eb5414f3aea37495a8

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
117b5222101c7a90dfbd7753c90984bb

SHA1
c394515eff8fffc02255921f327c3fe717a2a6f5

SHA256
139c029b9fd037019dd9a9149d4d1c6fa723c4dd6fb6a624f6fa9945393de388

SHA512
ad2a73a60acf6386db8d69de80dd58218238b820fddc6afa5ad49dc0440eacf657f7c1ebcf9fed8085da85eb28e6bfcfd9f19f8f9d8c47e3e2a1fe59000b6b96

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
6dbf2dff735f1e41c369947f391b6df0

SHA1
7212ef35c09e83ca3b76e3201da64e752a5adcb6

SHA256
e7c5b709e543512328725aca0fb2743a4fa394461f6588e13b70f3246db8c666

SHA512
cf2a8fd33f95b3f8cb44f9036fc5e260fab7cce808c91e886e7c067f9d6ee22184b5052e8ec6965d770d9940b7e66960c9b57e6ae1258654c3536ce4a7be0bbd

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
ddbc274b806bfec5824d036ff9f80f63

SHA1
fe8bca36e77df2ec76d351936cf514c6ce319e88

SHA256
6b49ca3bf6221e07a15210a99cc4ee8045bd0f57d5347d347b25a1cf64a561c4

SHA512
1044f1ab9ff4b539419ca800ce302f8c7a9194d1bdd8cdbb196a01deffa079813470b4c0014b2e6bb10b7da95bb910e748da6be8f2fe3b59a13ae723dd6c64ac

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
64KB

MD5
0e74435944eb484fc11e91c7934e343c

SHA1
c28663976808fe884e326847a3cf17924c0ac52c

SHA256
47a09aea7cfa88ef521acba3248f4b4e5d4df1699d8252094d9fda3d443e9b5c

SHA512
5df4587fd2accacb86cdc533a2a8b63a087c217f49776a09fc7262e313e2c6e0e39e321ae9e72e36e9c1ba3ed4658d07d1e637f3871f3f2bfe9735c564897780

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
3276a9bad0baf6305aa9d92f1c2a90cb

SHA1
d9fd2b0a9ca81415109749b1c6d26fa8bae5efd5

SHA256
99137b3b8f9830ce553424e27e20a58a1e163e498db401dc5797bfc2feb754a5

SHA512
c970d4db72cc1d6f01d5d65a7312d66e0fb186491c4bff49c4bd77ca119f4f247d8a537bf83c3c37f21b83a74bab51285b65f615f1c750810a7a1978e193fabd

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
0926f9aef0645e5043d56a83a08205d6

SHA1
0b2853336befd6378cf59c8941c0a526be8b23e6

SHA256
6108ed35d6c14c23c14158ccf49a685224f5791c4d86f0386b8c48d0e26b4413

SHA512
3d7822d4dd3d05595c22022b87b6d911299c58ee5323897f3bd114705ba5875a62623c3c696aa779ee75609cc02906176560c7f6d32ba9df518635a087ed977d

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
8cc5498f449003d4800ee09f440c7a62

SHA1
2a2066b46713580864812430c69de861328f2482

SHA256
db15ea2ac77f36463c29d633e32eb856deb30c16ef007d42173dfe9658162fef

SHA512
deb14a3ba7021036ddee306c9511e7005e4802c00f4952db4da03dc1e744e67f1314e9a64d280a1c288dd36af9e134b50015703d1a1a958a15a51e4a37d07bb5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
8bf5b09d20762ce11237d0e8eda52ac6

SHA1
6c2267a8fb1cb5b105972447feaccd3d34ba6d8a

SHA256
a1a1a454e080c70ccedd6a12d3bddfe72374fc8aef01abeab2ea74c9c8acbbd0

SHA512
493e8260b179c494a23f4f7b90b5ec255d48e74b5c683b9ae261afe6b9d540cddbdb9f5c0be0af13371026f8092a60e373e577eb4da08f4ea0364418bcfb4c68

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
64c02061f8d14c330e8b031674a4cba5

SHA1
0ecd11bbd059b9b6221546a29ed3552722cc0e3f

SHA256
608798fc2bd1749fdb1236371a55d72c619fb646b644103649e991ac217a784e

SHA512
27b659c6faa6a83897eb5ca45c5d4e64cd59558218857fa6438ca9ad20d2b3131c8ce40bd4eccad29425edb6b54ad0648b3a04e82a3fb3d414eedd25fa513345

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
5706ed644bb3b531b5183540bebeccd4

SHA1
e1f063440b7fbe7a53148d7fc3593b8feb77c485

SHA256
93f7daa2d51ea23a04f4e7eae962508b2b1de99fcf02a9214cb054a156f12c93

SHA512
e21c5db3a5873b3a3608218efbf25c0ca8f305203fdf1b66ee21142b492695affd9905b4405c206fec3b3158b86a2cc30c5bde371ae10a5848848dd23f97fdba

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
5574b6d2c3c8e081ca3134ff691b94e7

SHA1
63010fa85c8a7c0bb09f58f985f029eb8004bedc

SHA256
450483e30f08f71f122b2e1eb3aad653ad68de668fde97cfedaf2e53f3ac016b

SHA512
bce9bd5a4ffdf4a8a57b3d9ad379e3f67279acf385d5a52fc844e957ae73975390c9695a429306ef847fa650f34294ee5b842819c472c39cd7f6021692e10737

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
c18b3bd0204b2d977d3c68ed76d48110

SHA1
2b7ed3fc8236acf1311d98fd0d4189dbf340babe

SHA256
4f732b7fd608b2cf2e4e07e7b67898ac2c41f49a626e4c8746872173c0b03603

SHA512
2767017b82bf3896cc0f070eb4f124635c54b00285221497eee4bc573cb0c8ecbe2565cf2b2947d90662747ef93c428a4b4d6ae0cb3655ed471d4f5b2ff581df

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
5a44681574386bcf8353eebabecfa5cc

SHA1
68f7c55885fedcbb8a75b784bf8906ecba758b78

SHA256
392a82a71e4ed74c595c05fc29c5e71c79af986fd3bb2cbc81e2e519b6d2c18f

SHA512
fca8030a57923fd52d536805f6d47afc9657fa8b150d65c2ebda0ab837d94175e2e970b22260e3be2baa8e9103acaea555584850742915df95e5d84f6b814303

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
d5b49c29012bbc9dfa16fdcedb80757b

SHA1
9e6c2ae9751daa85473dfa71fec69f200ff91958

SHA256
5f54e41ec5ec00da23a4de9c811cab5d623f087c90dcc158b59a98e84ac2233f

SHA512
23ba9ca5d505166ff43c656410d085d93cddd861bd75aaf3725aa54029915f99ac8c0c28ac044a5fea313bb98e2242d07bfd9ebb8f342b032edcb181a5b04cfa

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
e52fc6d11afef4e9b7ac925042fb422f

SHA1
f1db747f3d971658e04e3048e1ae78139dec6292

SHA256
79924ac9432a2836730c30959992f14f50736847410706cb44d254ca0e0ed68f

SHA512
e606ecce1aab72eb7bd6b5b34975e8da4476a9c26f216b4fbb30f870bbeba8e2adc562aa5ca8694cbe5caa4c262ca2c65e2223d9177aa1d82c4968282291beff

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
c6a6bfa7c4f695f30df3bbf4fe332c66

SHA1
36277a047dd54dbb596bf786f4acd913cc3d11d0

SHA256
d495992c21823c9e171035656b0f9ef91fce9ef0effb9b603cb07bc8cb109653

SHA512
15437ff607c2e2886c3143b2a0dc884a88238f271466420695995ca746a7cd215f75cff42764ed75233f079b333e8f73df0dc79a3cb94b9f2618726a6709b9a6

Download Submit
memory/208-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2388-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads