423be747832fce87984a8f8eabbf9de3c5608f72af04382e84870c095e668a33

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de23169cad55088df9649098bbb9030N.exe
Size

56KB
MD5

0de23169cad55088df9649098bbb9030
SHA1

88b5e1f5ebbb5a328fddc54fb2d81aea94908916
SHA256

423be747832fce87984a8f8eabbf9de3c5608f72af04382e84870c095e668a33
SHA512

50fb12711a99b7d6de8c388e29698969a2e5f86611652f0a94f9c0ccd216406fa742a7a1c457992140c2b364323f9e6c75f9bced97d5710cd0fb7865c1e94383
SSDEEP

768:+rYL409rYqwyaegG+7AV9AqoKXi9qILhaSfiPwlxU2Rx/1H5tQXdnh:+ru9rY5LegG+yGyiIILh/lRzXi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0de23169cad55088df9649098bbb9030N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0de23169cad55088df9649098bbb9030N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe

Executes dropped EXE 28 IoCs

pid	Process
4716	Cdabcm32.exe
1404	Cfpnph32.exe
3436	Cnffqf32.exe
4524	Cmiflbel.exe
3580	Cfbkeh32.exe
428	Cmlcbbcj.exe
1628	Cdfkolkf.exe
2004	Cjpckf32.exe
452	Cmnpgb32.exe
4960	Ceehho32.exe
3372	Cffdpghg.exe
3752	Cmqmma32.exe
3820	Cegdnopg.exe
4004	Dfiafg32.exe
4136	Dopigd32.exe
2944	Danecp32.exe
3692	Dhhnpjmh.exe
4488	Djgjlelk.exe
4412	Delnin32.exe
4376	Dfnjafap.exe
2268	Dodbbdbb.exe
4400	Deokon32.exe
8	Dfpgffpm.exe
1228	Dogogcpo.exe
3172	Deagdn32.exe
1544	Dhocqigp.exe
916	Dknpmdfc.exe
4628	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	0de23169cad55088df9649098bbb9030N.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	0de23169cad55088df9649098bbb9030N.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	0de23169cad55088df9649098bbb9030N.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	4628	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0de23169cad55088df9649098bbb9030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	0de23169cad55088df9649098bbb9030N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0de23169cad55088df9649098bbb9030N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0de23169cad55088df9649098bbb9030N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0de23169cad55088df9649098bbb9030N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0de23169cad55088df9649098bbb9030N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4716	1776	0de23169cad55088df9649098bbb9030N.exe	83
PID 1776 wrote to memory of 4716	1776	0de23169cad55088df9649098bbb9030N.exe	83
PID 1776 wrote to memory of 4716	1776	0de23169cad55088df9649098bbb9030N.exe	83
PID 4716 wrote to memory of 1404	4716	Cdabcm32.exe	84
PID 4716 wrote to memory of 1404	4716	Cdabcm32.exe	84
PID 4716 wrote to memory of 1404	4716	Cdabcm32.exe	84
PID 1404 wrote to memory of 3436	1404	Cfpnph32.exe	85
PID 1404 wrote to memory of 3436	1404	Cfpnph32.exe	85
PID 1404 wrote to memory of 3436	1404	Cfpnph32.exe	85
PID 3436 wrote to memory of 4524	3436	Cnffqf32.exe	86
PID 3436 wrote to memory of 4524	3436	Cnffqf32.exe	86
PID 3436 wrote to memory of 4524	3436	Cnffqf32.exe	86
PID 4524 wrote to memory of 3580	4524	Cmiflbel.exe	87
PID 4524 wrote to memory of 3580	4524	Cmiflbel.exe	87
PID 4524 wrote to memory of 3580	4524	Cmiflbel.exe	87
PID 3580 wrote to memory of 428	3580	Cfbkeh32.exe	88
PID 3580 wrote to memory of 428	3580	Cfbkeh32.exe	88
PID 3580 wrote to memory of 428	3580	Cfbkeh32.exe	88
PID 428 wrote to memory of 1628	428	Cmlcbbcj.exe	89
PID 428 wrote to memory of 1628	428	Cmlcbbcj.exe	89
PID 428 wrote to memory of 1628	428	Cmlcbbcj.exe	89
PID 1628 wrote to memory of 2004	1628	Cdfkolkf.exe	91
PID 1628 wrote to memory of 2004	1628	Cdfkolkf.exe	91
PID 1628 wrote to memory of 2004	1628	Cdfkolkf.exe	91
PID 2004 wrote to memory of 452	2004	Cjpckf32.exe	92
PID 2004 wrote to memory of 452	2004	Cjpckf32.exe	92
PID 2004 wrote to memory of 452	2004	Cjpckf32.exe	92
PID 452 wrote to memory of 4960	452	Cmnpgb32.exe	93
PID 452 wrote to memory of 4960	452	Cmnpgb32.exe	93
PID 452 wrote to memory of 4960	452	Cmnpgb32.exe	93
PID 4960 wrote to memory of 3372	4960	Ceehho32.exe	94
PID 4960 wrote to memory of 3372	4960	Ceehho32.exe	94
PID 4960 wrote to memory of 3372	4960	Ceehho32.exe	94
PID 3372 wrote to memory of 3752	3372	Cffdpghg.exe	96
PID 3372 wrote to memory of 3752	3372	Cffdpghg.exe	96
PID 3372 wrote to memory of 3752	3372	Cffdpghg.exe	96
PID 3752 wrote to memory of 3820	3752	Cmqmma32.exe	97
PID 3752 wrote to memory of 3820	3752	Cmqmma32.exe	97
PID 3752 wrote to memory of 3820	3752	Cmqmma32.exe	97
PID 3820 wrote to memory of 4004	3820	Cegdnopg.exe	98
PID 3820 wrote to memory of 4004	3820	Cegdnopg.exe	98
PID 3820 wrote to memory of 4004	3820	Cegdnopg.exe	98
PID 4004 wrote to memory of 4136	4004	Dfiafg32.exe	99
PID 4004 wrote to memory of 4136	4004	Dfiafg32.exe	99
PID 4004 wrote to memory of 4136	4004	Dfiafg32.exe	99
PID 4136 wrote to memory of 2944	4136	Dopigd32.exe	101
PID 4136 wrote to memory of 2944	4136	Dopigd32.exe	101
PID 4136 wrote to memory of 2944	4136	Dopigd32.exe	101
PID 2944 wrote to memory of 3692	2944	Danecp32.exe	102
PID 2944 wrote to memory of 3692	2944	Danecp32.exe	102
PID 2944 wrote to memory of 3692	2944	Danecp32.exe	102
PID 3692 wrote to memory of 4488	3692	Dhhnpjmh.exe	103
PID 3692 wrote to memory of 4488	3692	Dhhnpjmh.exe	103
PID 3692 wrote to memory of 4488	3692	Dhhnpjmh.exe	103
PID 4488 wrote to memory of 4412	4488	Djgjlelk.exe	104
PID 4488 wrote to memory of 4412	4488	Djgjlelk.exe	104
PID 4488 wrote to memory of 4412	4488	Djgjlelk.exe	104
PID 4412 wrote to memory of 4376	4412	Delnin32.exe	105
PID 4412 wrote to memory of 4376	4412	Delnin32.exe	105
PID 4412 wrote to memory of 4376	4412	Delnin32.exe	105
PID 4376 wrote to memory of 2268	4376	Dfnjafap.exe	106
PID 4376 wrote to memory of 2268	4376	Dfnjafap.exe	106
PID 4376 wrote to memory of 2268	4376	Dfnjafap.exe	106
PID 2268 wrote to memory of 4400	2268	Dodbbdbb.exe	107

C:\Users\Admin\AppData\Local\Temp\0de23169cad55088df9649098bbb9030N.exe
"C:\Users\Admin\AppData\Local\Temp\0de23169cad55088df9649098bbb9030N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\Cdabcm32.exe
  C:\Windows\system32\Cdabcm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\Cfpnph32.exe
    C:\Windows\system32\Cfpnph32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\Cnffqf32.exe
      C:\Windows\system32\Cnffqf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 408
        30⤵
        Program crash
        
        PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4628 -ip 4628
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
56KB

MD5
3b2e3036ee668614e23e3857dba3e8dd

SHA1
d447e4ef7f469f336648b961296dca3ed268f837

SHA256
00817ccf756615f4dbd3cfe01d5c7ecc42a758495840d0842453affa2768eaa9

SHA512
d4904f2251e1582008882580def937711cb2a77c86dad6ee93d9a67a4129bf54ac26b0a04e4c5ee6ad8596c9eb9d4ff80b1a8117b4f9d0f64e1cea23d6aef117

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
56KB

MD5
6de9ab7513fcaa6d6fd9a6d9a90d12d1

SHA1
642699ede293cf144fe2343eefbedd1704eadf4e

SHA256
9e60e92e9555c5e9ab8054fbcba3b21847056b6c67bd1936df73773a54590361

SHA512
13ea7758759504c4dc2b18de941b9279b07946d699efe5b0a82e6b21020a5eb21fedc2071124dfbc3d36aafce34ba8e864dc647b476c01c806b1b4feaeab1301

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
56KB

MD5
907dfa1873c5e54c7f2d85f0fb5d6bf0

SHA1
6559a8f846f0186085fcdc6cee1e9b444cbe23e3

SHA256
272c9298b21e01dd098122c483382432e4e3cd11227f5099a83d1e338aa8c95d

SHA512
45ba39013d5a883b21d25eab4b024f8ac45c55b57d07ae4b7b33d2e601e68f91f79a060e7f2e52d10407ead15c2d546b8ab030889f345293d40f8ef12c8b281e

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
56KB

MD5
08559215e086dad5410cea6839f2aa3d

SHA1
41ddf3ed9a3e4dc66994b83bae36b82ec79d40f1

SHA256
d49f20d1d4aa65d3186e5c23a7e87d1594616b1aa7c13298171f918af17b8398

SHA512
7ef9d8eef64eba389451f4e30979e7cfcd9feb6da31b0a059172a84fa0f344781292df2c219e595e22075115a5893c62e4b4afab0b6234b61ec0d48e4ad40e7a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
56KB

MD5
6b402f72c2545ac46f7c6c418b9a09cd

SHA1
c6df7034a7de384a3826d8626645fb659de86408

SHA256
6a3942307a44ec345dccf48f11046c862d5422140a9efd84d029da6133fe5dc9

SHA512
55703e66ea0a6c3574e5973d09279552630e3a0040b2c544edebb3ef4cf7886b8ec287fa9b308637dcc626d1b12def17c66825a7041d07cd045a3818d3743402

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
56KB

MD5
6c62a3f23131cf8755e77bf742f5f930

SHA1
3086de673541094752ec62809d35078ff62c76a7

SHA256
69fab3d34e7d7c74a434d0841fe8c8081180eb4b08608b86efe4a32b334da84e

SHA512
5389d57c0f38f6115bd2161012c5669b2f2741dfe56195ced4d67d5691b148e503eefdfc55d22b848f2d9f9399be1a866ad527237a0ff02a98a14a72511a0bbd

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
56KB

MD5
ab932d8ed37966e4f5b42920ada08030

SHA1
7b04fe45e0d07ddf960dab209ca834355eb21460

SHA256
9ee3ee292beb98a28e9e3d249fc6e15e50fc2d7bb5b4c0733dbe6050bc4d3fc6

SHA512
f3f7e18f39cdb97d132b6226fe20405bc46952710f1096b79f1bb6068b192a1d7ae0045dcc4b2dff9b07428413b54fa972bfe9b0f641c6127796a8c621ba059b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
56KB

MD5
fb9ba85ce627e9480b8b4c0559460920

SHA1
8012cea32c83c07618ebc7dc11e553bb8d0df778

SHA256
59b6b601a0930a00b132d5c789f727c536539bf29b4980fe63496b29143d7eb9

SHA512
e703594e01859756979308f17e399be43554ba1b12c737018ce1ca54a7c3b724fc59495a462078b017a106c2ed1bee43bea5a3581983970ad4904bdd4045e669

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
56KB

MD5
d0e989705c2bde3a99919a09eac17807

SHA1
37aea0e8f862f8b9acfc507ea6cd41d2923fdbc1

SHA256
69bf2f9101942b49b49ca92f4abe5418dd54261493681a8f8049fc7cdcaf16ff

SHA512
4749723be9961c13c88e595a2702cfac1e4d82eac4b9323cbcaf273f3adbd9cd98873d286efa6dadf07e46666968960f1f5448a809d99aa9a8b5204fccb70a0b

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
56KB

MD5
2a65a27dbe863406761e4a19672638d1

SHA1
b24c24c2d78571548ec34032afb9587da2892e8d

SHA256
2e79eb7886d9a64d7335c18a1fc11eee9e25841c0e6af1ba8e8f16e59b1f8635

SHA512
a260f6ccc14d68ec22fba34a2c6c62c46c494a499b8da84ce77136ca166f4df87d5a93585a3c2466ae63233b9306c8b0a7a9aeba9ac81160eda5dab174248897

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
56KB

MD5
2b0fdb87e5e0bd1788f1cb4ba4254eb8

SHA1
d533c81940a6e632fbe33e473b7cf7ae361fde8a

SHA256
02c6a9a185d5de4c48c6979a8747bb8490270de5d3bc7d42faefca584824cdc6

SHA512
91f6818b104ee837275801905c7a354165e51eee85ff9f0042e1e5086340b7d0b42ad33479156666862494b5aae8b4c40707c7b1020a03bf6e591f675f7ebde8

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
56KB

MD5
ce50c6d922ddd5ef6165b1e30d719c6e

SHA1
c8464480f10d9e977abb2a94edd5b4ea099cbbf3

SHA256
2ba24eaa75e74cff9df07ac44568f69ef5a03d24695581090a5063e5fc67833b

SHA512
ac8762f77d84bcc7aaf1aef498f33e991ab346d2762a9787bfd35fad81c0e74cfe4d825c562cf39fe88af2d3346204c89587de95b5302465628a54a711b65857

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
56KB

MD5
03cc923ea2d366387a02a5e3d32dafce

SHA1
de59d1df2e52fe3078a8e1f0d6da8466aafb9eee

SHA256
41653593f5da8b04dab073ca0b29fc68b55faeb7d11b722d6d4e6008673b4468

SHA512
a4dadd4e2fdb34ac1b696ccfd00db95cf670cd5cb9020f266099e909bd0f4d64e90dcfa8cac40df00ffa8555dad2d48d9d54668e969d1fd4ccf384d7790edc57

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
56KB

MD5
828743b4d1027154a2da2c732088d94c

SHA1
5d8cd93efb55ab4bbaff8099b84691ef1483d56c

SHA256
b3a0d3bb6720b7331a67924930e98b0b96b366d51b92970106561bb6d7f0d61e

SHA512
5b0402091a803e8d7ded3358fc16f8548ebb9a06469dfd37a984c4e7ffc14f2761409118e5e440aa4e93eac14e9466202a909cf2d32e71db668ef214d7172e4f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
56KB

MD5
12aa4b2b4a28eebe7296e9f888c0c144

SHA1
2d313c175196a2ef04f79c274fa987cd79875133

SHA256
650e8798ae43278cd84dad4a7dd9971678cccde00109f2510505ca8791d942d0

SHA512
713695f4c426979270888cc357a116bb230e2c120e664837f340fdcdaeaf5dc1c243988ad5c27a7cb3e58ae3d386a1f6cc249cc5f809af944dfa1d7358055659

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
56KB

MD5
4e0d62713778ba633af848ec67eb5ddb

SHA1
10da50fbdc109fe2bc91da71b4547ffb5401e570

SHA256
15db386e7e3457da6c507fbdffb328c4045e90b767baef9cab455d4941d20957

SHA512
45cf0b1796eb063348a58be5802fcfbbbba1ed222ea5a33eb059164e224829b4d8b0b1198ae03f167f3c45b2fe10c0c0a40beb8897cf6027e56da595d90ca90e

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
56KB

MD5
bc28cb2ee2b4204fe15104ff85f5b837

SHA1
4e493a9372a4d733e3f470798f872d391e059e26

SHA256
b1ee30a7e9561e1162787f80885cb3165a541684aa0c1a88f01d3acff72f3df6

SHA512
4219421907c2c88a22bc7d4e068be86f3d04a223b612a8c378b9f2d3d3733e3ed34cd79fb7db450d0e3b3fc030ecdd144f7d52fd4aea91e4254c506bf4fb3252

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
56KB

MD5
8988d6e3364a3a2dbc24d364debd6af3

SHA1
e9c9a5d0dbeccc79d7711ec046a9d2ccb428d8ee

SHA256
2d7dde6c8c83c3229018dc99239bb45349abdcb5a35ae38170985c0ba53c83b6

SHA512
d88be0aab282ac2f0c8b31c8e497d03d01c4b1469ef82787ee00a25946ebba6fd57be8c4b3b06edbfbdec341278eaf44951858578c58bfc3a0119697d3cd9c59

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
56KB

MD5
074f0a9247ed36975b99af2f1d922f7f

SHA1
85108ffdbb645c38463861a1a4c974cdcc76f8e9

SHA256
0d6f3e3dbf94b857d0f1c467d089799679e5a1206d4ddb122bb000f4dc8a622a

SHA512
66cd61e163667d01a0cb1fd33aedb75b36d06832b14e79cb34a33694af519908654c20e0a8f4fe4fc36073aaa7c45d3026270a60ea13e71c9f0b70e835b03f28

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
56KB

MD5
66fea591b175413e8894c6ae2bf623e6

SHA1
3b21ea3ffbd5294853578ffc2110a4ba195a2659

SHA256
5d12ed4b65c9c8dc908c3e27db5daaf74254ab914b01a99e4362b3bada3dbde3

SHA512
89e72e2f44f7e022aae0b3d5b3ffcdc02efc06e6b321cb23fbcf3ec4f8213563485f49ca8cd1df1b1b869b00555a142f327958b909832ff8783518a8926ed720

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
56KB

MD5
a3310922a50e5f0158ff6dc1d08aa72e

SHA1
e4800755bf27db94d6fa75a32b557546bfad5bcb

SHA256
936ffb14ce46c03e7dfb352dc195f4e11d1c596901bdb5a0d4dfa9792ec15928

SHA512
c28cabd4b1a3bcf7bd0f2b84e37902ea4a472a5741b00674b8400874fd33a280c59834f36efc354744d6cafcce3cb238464155aef09baee864308b1d6e3a81ee

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
56KB

MD5
28ccd9e79f511878c3805370daa88517

SHA1
8e4b20d034434de36907117efb4c825f772b30a9

SHA256
d0f0f89286795b20fc1ff210709ea1b0151eb95df6ac7ad726d37d0fbe2aae2c

SHA512
6e5784d37e8832cfd08eae372c03d842ecb943b616be5ed09fba153626e97110d24ab2b3604bd55b406e750a59cc70cd1e2b4caac84dd876c3cafdfa0eb64eab

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
56KB

MD5
bcf37283d57aae272cf93d3e715f1a95

SHA1
0354aacfc90e9e88d369ac702a707d5f853d8023

SHA256
059c5847b5cded0b5221edc22bb8d200d7208ef33414e0427d2e440ce722b35e

SHA512
a82956cc56922c98567b269c836207997b45561d80f2d444f7baa806388b43924f625a8e57f8b555f61c81b63e0454929863f0b6e5c453a815d547e5ef4a4035

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
56KB

MD5
d60574e9ad5fab4932549365ffe959f1

SHA1
5758667346a4f73bc2c2f8ad024d6d5bc1c4314b

SHA256
1d34447cd3937d31a9137226258fc47ce806424f436cdb14655164827a9bb360

SHA512
7c31925bc47a81d3bc1f93e0b4bc2a63650d8d4e9a7e6289238454120a5eaa86994e0e1a0576603c48b067c2382220baec5e85d24754b837a045977da6940d2e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
56KB

MD5
5ed59326c0257c756c49b89fc37423b2

SHA1
8847cac94e81cbbd3b96ece152bd9d07758bb824

SHA256
9c7899610eab8692ce9d427c0cb063c91e6b4552f1bc1093b4e02249cd94f4ba

SHA512
e61fa9d22b2be68cc57ec75ed4f90122724444ec47f12ffe7ae0a63101500c52c59a27b2657dd897c99dae791f32a6ba2fd3be1f7d2092adc4c0f31e372bdfc5

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
56KB

MD5
5f007aed46814b2da5ae63e91993f69f

SHA1
a26b7dfa4f5eb0f42e1bc15efe76168a83778361

SHA256
b8de64be91c3922036072215f08a4fb1ef764c28040b047f5dda88c85d892dc2

SHA512
fe45075ef5bfe8119a102b413bb63e1b7aa1c2f4b66674a17d8d051d54099aa596ef6dfca89f2528bb7af7f7c20a093299c4176884c2372c6673e5da75aeeb7f

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
56KB

MD5
492374af804588f8aa2c22a3428af9b6

SHA1
a271082ed2919d3cdc7d754f133ea1811689d7c8

SHA256
534af1b1dd7ca33755b397693b00f0d4d6fd26b6a0b05e5ceeec30499a110455

SHA512
47a9654a48dbfc5183faac690853e136905309414fe93401e6b69296b86acef918ff377317a857ea4068f3980d3be1539b7a528060bf1a3456c78f8ba3f2c2f2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
56KB

MD5
0494366a231553967397ff96a97b07b0

SHA1
22f1b5f9a55a5ff4e7046203152ddc66f9b8f474

SHA256
3563340e3eebd241d434d60081cfeff3ab82bd49b2b861a2359b4e40e5b03b76

SHA512
b6b14496ca33b6ca1ada5bdfba5c837acaf0de33f389009eca82897deeaf489aede9c00c209ccc034662db1a806d590f33b8c7e1e99d6cc3a272add7b065da91

Download Submit
memory/8-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2004-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads