d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Size

448KB
MD5

f239e5fe58b9463160c4f14c484da6d2
SHA1

2d4360dedb3cbc078c7a00bae1b84773bcb24254
SHA256

d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4
SHA512

8a96fe6f77e3703920d4088c4fefa894ca070af72ec70149115632598b5bb2dffac2e68054b212b5a2e3a046ec034d804141b287534c9257825b8deccd5d2ee3
SSDEEP

3072:k/SNB8wcgrdI0dc8d/MJfyEkxnaaYQ2lycpQXSzU9vbT1NgNYIx33rjpu2lycpQm:kq8SrdIRJ6EQnT2leTLgNPx33fpu2lD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe

Executes dropped EXE 38 IoCs

pid	Process
2028	Cfmajipb.exe
1428	Cndikf32.exe
4516	Cjkjpgfi.exe
4252	Cfbkeh32.exe
3636	Cnicfe32.exe
3936	Cnkplejl.exe
2840	Cmnpgb32.exe
1636	Ceehho32.exe
1340	Chcddk32.exe
4520	Cffdpghg.exe
220	Cnnlaehj.exe
3436	Calhnpgn.exe
1404	Ddjejl32.exe
3724	Dhfajjoj.exe
5056	Djdmffnn.exe
3240	Dmcibama.exe
4256	Dejacond.exe
4860	Dhhnpjmh.exe
4464	Dfknkg32.exe
4436	Djgjlelk.exe
1928	Dobfld32.exe
2024	Dmefhako.exe
2468	Delnin32.exe
2696	Ddonekbl.exe
3208	Dfnjafap.exe
2976	Dkifae32.exe
4480	Dodbbdbb.exe
1136	Daconoae.exe
2368	Deokon32.exe
4492	Ddakjkqi.exe
4084	Dfpgffpm.exe
3204	Dkkcge32.exe
3668	Dmjocp32.exe
3852	Deagdn32.exe
1224	Dddhpjof.exe
1144	Dgbdlf32.exe
4328	Dknpmdfc.exe
1272	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe

Program crash 1 IoCs

pid	pid_target	Process
4560	1272	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 2028	4580	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe	82
PID 4580 wrote to memory of 2028	4580	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe	82
PID 4580 wrote to memory of 2028	4580	d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe	82
PID 2028 wrote to memory of 1428	2028	Cfmajipb.exe	83
PID 2028 wrote to memory of 1428	2028	Cfmajipb.exe	83
PID 2028 wrote to memory of 1428	2028	Cfmajipb.exe	83
PID 1428 wrote to memory of 4516	1428	Cndikf32.exe	84
PID 1428 wrote to memory of 4516	1428	Cndikf32.exe	84
PID 1428 wrote to memory of 4516	1428	Cndikf32.exe	84
PID 4516 wrote to memory of 4252	4516	Cjkjpgfi.exe	85
PID 4516 wrote to memory of 4252	4516	Cjkjpgfi.exe	85
PID 4516 wrote to memory of 4252	4516	Cjkjpgfi.exe	85
PID 4252 wrote to memory of 3636	4252	Cfbkeh32.exe	86
PID 4252 wrote to memory of 3636	4252	Cfbkeh32.exe	86
PID 4252 wrote to memory of 3636	4252	Cfbkeh32.exe	86
PID 3636 wrote to memory of 3936	3636	Cnicfe32.exe	87
PID 3636 wrote to memory of 3936	3636	Cnicfe32.exe	87
PID 3636 wrote to memory of 3936	3636	Cnicfe32.exe	87
PID 3936 wrote to memory of 2840	3936	Cnkplejl.exe	88
PID 3936 wrote to memory of 2840	3936	Cnkplejl.exe	88
PID 3936 wrote to memory of 2840	3936	Cnkplejl.exe	88
PID 2840 wrote to memory of 1636	2840	Cmnpgb32.exe	89
PID 2840 wrote to memory of 1636	2840	Cmnpgb32.exe	89
PID 2840 wrote to memory of 1636	2840	Cmnpgb32.exe	89
PID 1636 wrote to memory of 1340	1636	Ceehho32.exe	90
PID 1636 wrote to memory of 1340	1636	Ceehho32.exe	90
PID 1636 wrote to memory of 1340	1636	Ceehho32.exe	90
PID 1340 wrote to memory of 4520	1340	Chcddk32.exe	91
PID 1340 wrote to memory of 4520	1340	Chcddk32.exe	91
PID 1340 wrote to memory of 4520	1340	Chcddk32.exe	91
PID 4520 wrote to memory of 220	4520	Cffdpghg.exe	92
PID 4520 wrote to memory of 220	4520	Cffdpghg.exe	92
PID 4520 wrote to memory of 220	4520	Cffdpghg.exe	92
PID 220 wrote to memory of 3436	220	Cnnlaehj.exe	93
PID 220 wrote to memory of 3436	220	Cnnlaehj.exe	93
PID 220 wrote to memory of 3436	220	Cnnlaehj.exe	93
PID 3436 wrote to memory of 1404	3436	Calhnpgn.exe	94
PID 3436 wrote to memory of 1404	3436	Calhnpgn.exe	94
PID 3436 wrote to memory of 1404	3436	Calhnpgn.exe	94
PID 1404 wrote to memory of 3724	1404	Ddjejl32.exe	95
PID 1404 wrote to memory of 3724	1404	Ddjejl32.exe	95
PID 1404 wrote to memory of 3724	1404	Ddjejl32.exe	95
PID 3724 wrote to memory of 5056	3724	Dhfajjoj.exe	96
PID 3724 wrote to memory of 5056	3724	Dhfajjoj.exe	96
PID 3724 wrote to memory of 5056	3724	Dhfajjoj.exe	96
PID 5056 wrote to memory of 3240	5056	Djdmffnn.exe	97
PID 5056 wrote to memory of 3240	5056	Djdmffnn.exe	97
PID 5056 wrote to memory of 3240	5056	Djdmffnn.exe	97
PID 3240 wrote to memory of 4256	3240	Dmcibama.exe	98
PID 3240 wrote to memory of 4256	3240	Dmcibama.exe	98
PID 3240 wrote to memory of 4256	3240	Dmcibama.exe	98
PID 4256 wrote to memory of 4860	4256	Dejacond.exe	99
PID 4256 wrote to memory of 4860	4256	Dejacond.exe	99
PID 4256 wrote to memory of 4860	4256	Dejacond.exe	99
PID 4860 wrote to memory of 4464	4860	Dhhnpjmh.exe	100
PID 4860 wrote to memory of 4464	4860	Dhhnpjmh.exe	100
PID 4860 wrote to memory of 4464	4860	Dhhnpjmh.exe	100
PID 4464 wrote to memory of 4436	4464	Dfknkg32.exe	101
PID 4464 wrote to memory of 4436	4464	Dfknkg32.exe	101
PID 4464 wrote to memory of 4436	4464	Dfknkg32.exe	101
PID 4436 wrote to memory of 1928	4436	Djgjlelk.exe	102
PID 4436 wrote to memory of 1928	4436	Djgjlelk.exe	102
PID 4436 wrote to memory of 1928	4436	Djgjlelk.exe	102
PID 1928 wrote to memory of 2024	1928	Dobfld32.exe	103

C:\Users\Admin\AppData\Local\Temp\d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe
"C:\Users\Admin\AppData\Local\Temp\d3adbf051a8a5c7d46efeae9bc9ef7d64bf922483af7003e9db51f06856f47f4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\Cndikf32.exe
    C:\Windows\system32\Cndikf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\Cjkjpgfi.exe
      C:\Windows\system32\Cjkjpgfi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 396
        40⤵
        Program crash
        
        PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1272 -ip 1272
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
448KB

MD5
23294a5aea0d9574a193cc4e2f8d0339

SHA1
c0b05f5e3ea80eb8b4d993770531f2cf595d2efb

SHA256
81c44b01a71ac4f553ba98b6e7c2b11029761288e0e6119500fdfdfb8688fb06

SHA512
ba3dfad80617ec486f177424a4683e93373553a5dfda4c0ba3fe6e16eb0e22fa80da03b1dcba5839e423348f9b3a56cdc568bc272108ec03f0749866e85cdcbf

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
448KB

MD5
9fe187a1eb4bfd77d3749d7667f0a3fe

SHA1
3967b4b038e0c79bf9e9dfa3f0ba4b9f2a7657b5

SHA256
06b5ce8c2639c1f574812b241369f49f2f435b79b12e594f6d1b34f2c1733c90

SHA512
4b982b26f36a2720f0b9a0856ba15048f512259046339bd5b364df238256a23eec16f0fe096faca87c2a24bd72061085a31f9dc9c5dc654ee067d8e8c73a56d9

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
448KB

MD5
1c18787dc21dddc63aa1f8c63567fb1f

SHA1
98318827fb3a9c456cf9d5a5ac274c865b50037a

SHA256
84b4d796282816e8a16733cea6032383a8d91f8e54f4cca8242f4ecbe6b1ebe0

SHA512
0f4ebd492ca759541ec3faaec762c7bac5282466ee9debaa400ea79fc667867eadd121c6795997c0a48320099aa805ed2254c866fefed3eb98ce909413379876

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
448KB

MD5
6b9c5ae07aaeb2e1d635076475b7d857

SHA1
23dfa645bff2ba3b0113ab1adf0bf81a48fc8529

SHA256
416ea5571ce76f80aab2cef1866b14903916812714da8939d577aedac0311ebc

SHA512
2274ba592c61d3c40272585e047e5867892aa4c0bc34bd206c5c46c76365eef1e99057115186f22b4454d44eec345a3ff32254d562f856d52d4b3ae3215f1b2d

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
448KB

MD5
dc146e33c550d61c9612a0dfbe7b1129

SHA1
4a64c587d9856fe39901392f3c1b1b21267d0df7

SHA256
793154a2974443bb7af24b7246f186311a62a56b9cf7b5782477b0cae9e022c5

SHA512
5d617a112574eace0cc75bc24379b905c3658fc0da92c92a52fd307d39e3c8ed793ffb229465beb00bba781a8f476550e97e131a31f1bedb8346e40c30ab86f8

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
448KB

MD5
d2ed52d9cc0022103f5558df5d93c7f0

SHA1
3506721b8fc82174db5b2996f6b17f2c84638101

SHA256
c3c4096e6fbfaeca570cd2a59bdd18eed610bb87a52b5fc5001488887237e53f

SHA512
88d5a785a4744cf7ef8d746f025da32ea7cdddf157ecbafa4c575dd99d67ccfe7643493b1eb9e55489b59e6c7d6de02ec7dbf6fe6e25bd304b7e979f3ee8680b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
448KB

MD5
cc85de9712963c10e35633573b058599

SHA1
1d59d99ddf7caf24788e969e6aee8de1e5aafa08

SHA256
76e159426fcbc747b750bfe20b6bc1207b3219458ae4c14df78eeca8ea8b8126

SHA512
235c26335e8c7e94d5c8e8d6d47f63ebc68700a1921f7dde1043ce0bc1c562484723ddf0f22965c8bd1abf5ee61fadf50f6bf1f407666cbd5a5aafcded70a794

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
448KB

MD5
3ff8862c39c490c0617020cdeb670d93

SHA1
c8ff4f0ece9533b4345149043aa7cd368b1d2779

SHA256
6ea56dab8d98abf8888a9342295d0aafc51af91f14f5d6699463b00639927bf3

SHA512
1134160028dc60c717c4ad384ba574bd53103be170b9f1979f7313c902a8db55ef57b20af3a6ca0ddb3c5dc19a3801edc63040e059c3246387a57b0ac90e366d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
448KB

MD5
c6ec8939d9f6af37fd32164599ff85d1

SHA1
74072be36176a187aa8daeb08f9669f9822ceb4b

SHA256
58f747165fda14e4f38129ec3b8c9175e4f0f7a0def2868165070b1cee4caeb0

SHA512
95d4952ab30edfb103fc4a6fba28831154e1268bda53bbc3d33366588563d77a899bea119f0903e3cb3644aefd289a55486cd38773d6f733cff7fc4690ef3a9d

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
448KB

MD5
8f11995617fd20fcedd53a99e13faaa3

SHA1
b58f91b93ef0f6dd3bb43bd50806af3a76e76fc8

SHA256
49e71b753d88f6ca8209a0b11443d1863c0d535ea006a5516d59431fb2884cec

SHA512
e76404157c53979592e8ebf2411b07b6b23f916f4fb05c5b5035ca466308a8b1463d8e3683b233b3fd365d2ed834056cd70acb891e2475807e9f6f65817dfd13

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
448KB

MD5
0ca71e21a9127e38a92fb0287cea7ae0

SHA1
90ec1b70fc82ad898941377c7c81379a38b5b410

SHA256
b38e65e87af9a4e9ccec244b43271b491c39096d7047f43834c6b6dc9921ad3d

SHA512
c9d3e6bf863617661e12446b306ed8ab839e79ec4ba3bf51c0c5de9112e41bc0b446a9c8f366ec6bf3c34b57a3a2a4acd56a1ef8f77c86c0823d18bae1cb4a60

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
448KB

MD5
c0cdf9b523080ab636f974948ef225d9

SHA1
deb47db2aafde2fb3193aa8d5a8d4c1ba1a85360

SHA256
9bb95693581c462c20bfef835073904777a517342cb51ee5f8f35878c305e20c

SHA512
a8ed8f88881da6b31e2a4c10ce4dab714da1d632a55e2b8508b46dd71d6bb04c26e53fa278ce69133ae2019df0997c3de22fc40d157019bbebd7330902797991

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
448KB

MD5
a38a1feb71e950f04cde2ccbd47f1936

SHA1
faef3750e1f719cba1dd35938793ea18867520ab

SHA256
4444cac7a4401c1d7f8461ad6f123cf27b7c9e6240e4116811d75c9092d5ea23

SHA512
295b09142627b7fe25a8d511712f236b22312b95ead317aaaa08d5464c7e5e5c9f9056d936cae9a57f9025e1c36617d7915948a297ff150da50fec6e887ed514

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
448KB

MD5
20c55686b1251f4f6f91f35aa23065ad

SHA1
80874fd36889560e8e21897aa8a1c5840bb2e2a7

SHA256
cd626c877a208e8dddb967b6c901c9683d3446e70dea9ee69ac29da12d326ad0

SHA512
b892dc2ea2843566ddff1620af1cf52b70e04fcee968d2c515f8f2191f4c0f6fe9fe3019b51ae1df01123c856ba46754b3aefa57dc65e97784c81174f643d782

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
448KB

MD5
7a2934a3aa07ca1c6a40935905512c6c

SHA1
797e2797ac92fef2c1321c553288de9693226e73

SHA256
ccc31f67759be4afee6ff63524446111c621862f10d30dba68cbceb63ff43e92

SHA512
536e5b85613e14e8a538521d677140e0b17e1c29b3c4920998af29382dad43ae011de90ed7b4e51c302d09dd9587e005b941689eaeb52c72da184e60c05b27bf

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
448KB

MD5
0ba5ca1c4eff6f155afbd51a1b769692

SHA1
f242bc31adb876e279c79fa96ed35e1011cf9775

SHA256
cd9abebbc5944b915ceb3ef8759918225e96372577e33a9a36c8b349ff576d04

SHA512
fa89aa8ad5e6104a795c7dad0cfec35cfa079b4a16353007ef484866f6a0adb7aa34af00b46cf656b9170c35c212b3acf7133d0577500a97fc2566d7bd521a05

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
448KB

MD5
23d7cc3436ae0bb5a7c8bcecae6c5d59

SHA1
c61672badf3c656808fa663d02cf13c011e09b59

SHA256
1f96852e740c191080e7705101f1e16d7e556c63317549c8640bcc5d2cca4060

SHA512
2d7e1cab2d97faad4ff6b45352ee2b9640fbd32342839828f5c1b999de293ccd9c2a62cce5a43d5cadd67e904f8c17c21abf4898a3bcce9034c3a04789a600c5

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
448KB

MD5
fca5756c8efe48d93c2af6eef51b1e68

SHA1
394e04cd2fc6d0c5112d22289f2b9b8b08a1b14d

SHA256
326008b4151f6f01a7ef8f8ce55b83f9ab17bc4eaeab16a83bb8f9851aba81ff

SHA512
b62fb364e2ad74482a3a56b1bacba8171df3f80508a53a2d95d2550dfb23faa7d0db5f7313fa017e82de31b4297f185e2016663b2353ea7e83b941a58afb6875

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
448KB

MD5
a8e2cdb09d7af8fff7a7d49826639d7e

SHA1
373d66f8feb53771931fdbbc86be7137205e531c

SHA256
17f585ee306646d11a36c692d904274237f9db85618030a260bf9ac7af56c508

SHA512
00c87c6ee9b26da1edefe21953bae1872e003a206b6a6a23d8c6875cb85983b727a57a8ec102b07f5e55c55677fab1df98ef81dbd1e0b2d428e7732ff03cb080

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
448KB

MD5
c6eab3d007cd997f22c7c385c6039ced

SHA1
b6082ae65bfc0408b832adfceff42bc3cee5d63d

SHA256
c02ac22b3d31431d05c36fd08458ced84378f87a826bacfeb6cd8d3edb061cc5

SHA512
655e4d5b42f3e71ab0b6ccd789bed4ff17a6a33642ab59f418cac9b437c8438b3cfd1903ad1387fffe9fe72a200fa93a64feb6a851128f1aa84239fa76f5bfb2

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
448KB

MD5
b2c334d95054f60bda387112f86c8223

SHA1
749be58040702e4033eb5a2e5ff5af8b9ceddcc0

SHA256
92053ed721bfd70172f6a57fc7709015360b5ded16f8ee18d3c1b89d548f7677

SHA512
e0b03174c2b1242360ea05ef8c54c586c6fb6eeb6a989af8fd9c2475dbba85eba05f78fe8b90e81dc209f9d6aaf43368c9d119620f7b9f327722f31ed96d0aaa

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
448KB

MD5
ee2d010b9f0abc9f775ca97f1d7dbe7a

SHA1
b337f67ab365b785dae224f67ccda061e7bc6587

SHA256
81478ce610b33110ec4aa70f90c05058ccf70566a9be2a59ebbee77c09fb2a36

SHA512
8208cdc34dc28966a146c8372cffee63208730bd3955eadc19b50898b1267fcf4e20cd58c677b2d27a8997c0077823bdae74192ba12441ac5230d4bd657f12cb

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
448KB

MD5
3871f42195a1844865e65d7962407672

SHA1
5addbaf7ae98726c094aec569b0d09ee8968856e

SHA256
35f9bcbe484ece0e6ce4dd4e27ac2bfcc429215de363a9ae72125d6af8bdae29

SHA512
d84302e139a73b59ea69c6026804303b3d81ff8908cade7963beba3c36eb31dd2ad62643162df61514530c067eed1a0690e160f734c5d3ca0834f88526bc02f4

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
448KB

MD5
98516dd40217a9889776fd153d123ed7

SHA1
ba82ee16da357d7c8b4fe92801627540c55124ee

SHA256
12599c8293015538b739313cbbd558850e2408b3c53f4e916db2640e4bf662b3

SHA512
6442e001b102d8be1ea872ceea4d3d3a2c255b7c8415b3c7cc9c55154f492a244363dbb49432c1f6448ce8ba8aea4da75a4afe4b60850e5ef5b12734a989bd8f

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
448KB

MD5
4e4d117010c3241739d78e3aa6bd4692

SHA1
c50044c8caad5ee76d1bbc9f199a893060350410

SHA256
ba5ae05ad27f8e530481ca4585a96b6fdfa480f57e89046693be504087047c3f

SHA512
efe85ea7afc92979d3697ec45866a1e89779334f96f379da64a1d5dbc726745910b5d005cecca4d8b04c0285878f5eabf8e331661a4c30db6f63a13776384b48

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
448KB

MD5
c5ae22ed7cf62938ace7494315eeea87

SHA1
90ee7eccdc0cca764ab2903af47e6b0d836c0e0f

SHA256
bfa3db49ea0e0673883111379751797392950afcef69a2296024ee964b567aff

SHA512
2b4144fbae42e862d8a8d6aaee5b961120f3436ae71cef8d4a4598a2c8eec8870d9a2077ad100200f64a5679a5d4340881e66545d70bfe0607e4d8b2d6857e6f

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
448KB

MD5
988b6cdd9d879a63ea59bfd97f3bf15d

SHA1
9373581e77483dd97e00e6ed778b41fe96987e8a

SHA256
b206ae9bb3b6812cf40081bbc2c454d5a4545cc7309b15315cf1dbbe560d8c08

SHA512
90e53cd2fa5d55efa9ea17df8f0af7df0f606b9d9a8f5bc8130bf6ecba7d6d503b05e9b98bd498158edd41415655ced63d6436559b75538ddf80213a20f2b34f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
448KB

MD5
a68dad495429a90aafc2ec208e276d04

SHA1
f25a2d6c9fafbcdf8afdc8a2eb2224137613a71f

SHA256
8a19a0f90f65215b1dc1cc18bb121b83ba7bd69533fbf8bd181f333695010146

SHA512
928a0a76b22c9215849e5ebff1d7b4433eea0d51be543fb726685a7768782686adcce94a85eaf370ad3b055cae5810f517229efb69f9c79534cac4e759f79a0d

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
448KB

MD5
7ed323518682678ca3dc1d0323b247b1

SHA1
d42ae5554904cf19457803521daea74b6d578bb9

SHA256
a57d50f8b26d5607e71ada7edaa381dc8697c83b121e3bec18126e869c94e037

SHA512
3c393c84cfb0c49daef364df3033073c7f3402e09dec7990919b20a5f5fbbd665fed9f076bc06da389704b07cad2f326d9869f78356fc08decc11d53155e294d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
448KB

MD5
ce397d55267f4c21c7f15638099baeed

SHA1
b5cc6d3c08eb995bf77819e519a0dd5d3d744e89

SHA256
608bcd01020d559d83bc37d4f9df502021712f964c601e073046999e5a51cf67

SHA512
a5f4fce8696706880247a303b608f3f5ac4a0ab2c4fd5867894c437dad21b5d6f4dde3428cb33c9c56d87ba5980aca40d7cb9873c895cc2bfee79cf8d6a6a9b6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
448KB

MD5
519314147f4e2c907d0d8d481f1e2c88

SHA1
f0907f6195c139907cec717b497e9e3618e3f458

SHA256
61fb41a22a7aae1eda0c87ca7c13308a1f4ca721c0ea02bf728149aeb00c4325

SHA512
f5ff4b4e244cf4c0a8463877932c8258356b3f496e9c3a01bd7c6d6fea2b914be825ca05c447699590c60aba11ae156afa5628430a38397bbeaec01a8d9502bf

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
448KB

MD5
3cafb67054dcbadadcfbf75707c752c4

SHA1
9c5b1e4ae4187881e210f0e1c79f3bf3fe323dfa

SHA256
1abd8adcd3f2c4c1767e1922952ce4df0e0d80a16231707e5b486aaa36be9383

SHA512
6db895b684e1ed3143e9328b6f926c9a21b19fb860862a5685b4f0f89567b82a59d52115fa648711466f498c6ae07e1e4469dd3f3355411fe9840e76d3cf9a41

Download Submit
memory/220-94-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/220-346-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1136-228-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1136-311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1144-283-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1144-296-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1224-298-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1224-277-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1272-290-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1272-292-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1340-77-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1340-350-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1404-110-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1404-342-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1428-16-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1428-364-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-70-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1636-352-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1928-174-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1928-326-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2024-324-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2028-366-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2028-9-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2368-309-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2368-236-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2468-322-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2696-320-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2696-195-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2840-354-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2840-57-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2976-211-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2976-316-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3204-259-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3204-304-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3208-318-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3208-204-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3240-336-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3240-134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3436-101-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3436-344-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3636-41-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3636-358-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3668-302-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3724-118-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3724-340-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3852-300-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3852-271-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3936-356-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3936-49-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4084-312-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4084-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4252-33-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4252-360-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4256-334-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4256-141-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4328-295-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4328-289-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4436-328-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4436-165-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4464-330-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4464-158-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4480-314-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4480-220-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4492-244-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4492-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4516-362-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4516-24-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4520-348-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4520-81-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-368-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4860-149-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4860-332-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5056-338-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5056-126-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads