2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59

Analysis

max time kernel
141s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Size

96KB
MD5

a76c575f02b05c736b7f5b3969b10d1e
SHA1

8f898928b668ad6cbd7abc09d5d2f58aa615460e
SHA256

2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59
SHA512

0b5034da58d4a133f93e299aece6f977540a70da9d61fa9715df868cf664cb1bed090ab953c4f7034e079eba4bd3c308bc9c5459889ed28437e077c74b2e3810
SSDEEP

1536:H5em+BARNZxcJVuymVKR3vMl0APgnDNBrcN4i6tBYuR3PlNPMAZ:ZeD0/xV0Ml0APgxed6BYudlNPMAZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe

Executes dropped EXE 20 IoCs

pid	Process
3960	Ceckcp32.exe
1552	Chagok32.exe
316	Cmnpgb32.exe
3920	Ceehho32.exe
2912	Chcddk32.exe
3424	Cnnlaehj.exe
2940	Calhnpgn.exe
5020	Dhfajjoj.exe
4220	Dopigd32.exe
2876	Ddmaok32.exe
4796	Djgjlelk.exe
1676	Dmefhako.exe
4184	Delnin32.exe
3504	Dkifae32.exe
1568	Dmgbnq32.exe
1384	Dhmgki32.exe
4904	Dogogcpo.exe
856	Dhocqigp.exe
3800	Dknpmdfc.exe
2944	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	2944	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3960	1612	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe	84
PID 1612 wrote to memory of 3960	1612	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe	84
PID 1612 wrote to memory of 3960	1612	2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe	84
PID 3960 wrote to memory of 1552	3960	Ceckcp32.exe	85
PID 3960 wrote to memory of 1552	3960	Ceckcp32.exe	85
PID 3960 wrote to memory of 1552	3960	Ceckcp32.exe	85
PID 1552 wrote to memory of 316	1552	Chagok32.exe	86
PID 1552 wrote to memory of 316	1552	Chagok32.exe	86
PID 1552 wrote to memory of 316	1552	Chagok32.exe	86
PID 316 wrote to memory of 3920	316	Cmnpgb32.exe	87
PID 316 wrote to memory of 3920	316	Cmnpgb32.exe	87
PID 316 wrote to memory of 3920	316	Cmnpgb32.exe	87
PID 3920 wrote to memory of 2912	3920	Ceehho32.exe	88
PID 3920 wrote to memory of 2912	3920	Ceehho32.exe	88
PID 3920 wrote to memory of 2912	3920	Ceehho32.exe	88
PID 2912 wrote to memory of 3424	2912	Chcddk32.exe	89
PID 2912 wrote to memory of 3424	2912	Chcddk32.exe	89
PID 2912 wrote to memory of 3424	2912	Chcddk32.exe	89
PID 3424 wrote to memory of 2940	3424	Cnnlaehj.exe	90
PID 3424 wrote to memory of 2940	3424	Cnnlaehj.exe	90
PID 3424 wrote to memory of 2940	3424	Cnnlaehj.exe	90
PID 2940 wrote to memory of 5020	2940	Calhnpgn.exe	91
PID 2940 wrote to memory of 5020	2940	Calhnpgn.exe	91
PID 2940 wrote to memory of 5020	2940	Calhnpgn.exe	91
PID 5020 wrote to memory of 4220	5020	Dhfajjoj.exe	93
PID 5020 wrote to memory of 4220	5020	Dhfajjoj.exe	93
PID 5020 wrote to memory of 4220	5020	Dhfajjoj.exe	93
PID 4220 wrote to memory of 2876	4220	Dopigd32.exe	94
PID 4220 wrote to memory of 2876	4220	Dopigd32.exe	94
PID 4220 wrote to memory of 2876	4220	Dopigd32.exe	94
PID 2876 wrote to memory of 4796	2876	Ddmaok32.exe	95
PID 2876 wrote to memory of 4796	2876	Ddmaok32.exe	95
PID 2876 wrote to memory of 4796	2876	Ddmaok32.exe	95
PID 4796 wrote to memory of 1676	4796	Djgjlelk.exe	96
PID 4796 wrote to memory of 1676	4796	Djgjlelk.exe	96
PID 4796 wrote to memory of 1676	4796	Djgjlelk.exe	96
PID 1676 wrote to memory of 4184	1676	Dmefhako.exe	97
PID 1676 wrote to memory of 4184	1676	Dmefhako.exe	97
PID 1676 wrote to memory of 4184	1676	Dmefhako.exe	97
PID 4184 wrote to memory of 3504	4184	Delnin32.exe	98
PID 4184 wrote to memory of 3504	4184	Delnin32.exe	98
PID 4184 wrote to memory of 3504	4184	Delnin32.exe	98
PID 3504 wrote to memory of 1568	3504	Dkifae32.exe	99
PID 3504 wrote to memory of 1568	3504	Dkifae32.exe	99
PID 3504 wrote to memory of 1568	3504	Dkifae32.exe	99
PID 1568 wrote to memory of 1384	1568	Dmgbnq32.exe	101
PID 1568 wrote to memory of 1384	1568	Dmgbnq32.exe	101
PID 1568 wrote to memory of 1384	1568	Dmgbnq32.exe	101
PID 1384 wrote to memory of 4904	1384	Dhmgki32.exe	102
PID 1384 wrote to memory of 4904	1384	Dhmgki32.exe	102
PID 1384 wrote to memory of 4904	1384	Dhmgki32.exe	102
PID 4904 wrote to memory of 856	4904	Dogogcpo.exe	103
PID 4904 wrote to memory of 856	4904	Dogogcpo.exe	103
PID 4904 wrote to memory of 856	4904	Dogogcpo.exe	103
PID 856 wrote to memory of 3800	856	Dhocqigp.exe	104
PID 856 wrote to memory of 3800	856	Dhocqigp.exe	104
PID 856 wrote to memory of 3800	856	Dhocqigp.exe	104
PID 3800 wrote to memory of 2944	3800	Dknpmdfc.exe	106
PID 3800 wrote to memory of 2944	3800	Dknpmdfc.exe	106
PID 3800 wrote to memory of 2944	3800	Dknpmdfc.exe	106

C:\Users\Admin\AppData\Local\Temp\2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe
"C:\Users\Admin\AppData\Local\Temp\2bcee1613f4c45f7e9fa9a1e2a3c3e4648efc650677291259810a17ec4373c59.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\Ceckcp32.exe
  C:\Windows\system32\Ceckcp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\Chagok32.exe
    C:\Windows\system32\Chagok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 400
        22⤵
        Program crash
        
        PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2944 -ip 2944
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
90259e1ab0a609d78e6bf2dc997eaeec

SHA1
b8db46bf63d8177a9823fb9d9f88a4c38d774a47

SHA256
ac6fa9be89e697913b640b737a0378ff55555d60ec6e8d5ad57c7a77cd894ebf

SHA512
bf4ffc8993295673a04210b6af1a0f3d96614c2a75478edfbd605e1bf4c9eb87dd8d2bf8a41f5377f281965d842c4b11fcfa54c47b99c8c569c305286b278b6e

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
bf8392c6283a4cd077189e6f2219d05a

SHA1
b13dde1506f96b5aec4a399fbb3ab016354897b2

SHA256
fe5bca936d40a7365ea2c652593e098dd34a40ad0310d6f3cfd0b53bdf56c200

SHA512
ace6bf9c304397a6607443e37ff0455870797eef555db43d5edbc5e4740394cb0b26e0a8733726929847480813bccf15af6fe2dd3169efe99dc29bdcc4785f46

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
666d1d058d2e1f9e0c48e343fdac43f4

SHA1
aba5a667eaacdca31dfd63921e78fa78f0fdde8d

SHA256
1b4aef982679fc269d267ba736c3f122527804f491d2babb10d886b31c7d51b8

SHA512
a40a3d656b8948a27e4209f81f72dbbc2c281de7197b202f535b7f3b05a9e1e73b3160c45cf6336e71af8426306177af067ccb8811fe3f724532168968a7fda5

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
a542832f0e7af24edd017c250bb0016a

SHA1
24d26e6d0f0e1b95b8f93502c52c0c78a90f887e

SHA256
9c407c6e4bddf80ac49a0664c447aae24949e63bbd99202b53b0c424bc6367ec

SHA512
b996bf87eea231f6b9523aebb3325f3874fd4adfd729a5b0fa0921045dbd12c66f70c9514d542087b19d91f7a51020c3c3a16e7bc5c39f34eee33769d84a66e6

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
de2e3ecb5486c1fc8e85b366906ac23c

SHA1
1e087fdb4ee5e6de4f6278c81e8e1c2511152cf2

SHA256
0ecba4b407c33e05d6008eaa835feec8be921986c48a814b1a8115403583634f

SHA512
7a3aee7eb28f334472e91da9d8b0cbdf6438f223776374715c5a868557cfe103aeb89d42b63bf9a4f8c181e5723a6ba1927b9bc13c3311610d1bf40910404de6

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
079b3266f92ad849a77efb32c6a71d9d

SHA1
e1bf13f8dcac128ef83ad78cde2f2b55bcf7148d

SHA256
70cc428d080273fc55446075b4cf8e4be5063a545c93021139b9e5886cbc38a4

SHA512
1bde3e0cc533baec0c5fda48c5edac8578bcc28260fbc7b0745fcc319b4c4dff6d097e252ac94bc8e6f21def6d56de8444497eecf3a0ecbdba58f491ef24839c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
b254ecba1136dd996f66732dcad5b1d6

SHA1
ff091909dd4f03ea3024a11f12ee8aa56ac39543

SHA256
72cc631620ea2f07a31fe7ffa7d12496d8f159a0f7d1fc8f4becdd029d8058cf

SHA512
d127d3fbc31416af70dba81a3847290ca3976a715ec3f45865090d591886b4314021470627cd97bc471cf7ec8c709f5aea2cf65dc6c58a044e2d238a438d54a6

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
7880b20e2b695722f0585b45e7c05a5f

SHA1
df65f2d321ba8da3b99704b937b458bd758b9313

SHA256
1e0457d16f9946741e66704ddc60c96cba0f59febbd9ce106842d8fb30b39903

SHA512
e50f3d96acb319ee85e7c37eb9bb8a9012f91e343f19d4003428b6c0b8811497997f6276e6759d4fceba4dc31d6751846718e9d8a20b95a2cee8c44e7c745749

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
b2d6940cd7624a0b84e4a03f25c6c972

SHA1
fc6b9fd6fcb23ebd33da129f0bad11b67f8e731f

SHA256
5c34b76a226194892c27bc74c6e625b763974908cf9da4ce8c9b8a6f086ac4b0

SHA512
6049353d5fac5c9806f8eb4859b767c480d39d7eb38084848c5c009dca84251248ef2ce67d1c7088d3badc12aa6336480c976a39804ba0517dc5b44d19cfebd6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
2aaaa02c11245a89f189428e4672fda5

SHA1
2596df430629c113676b028e903d791590a9cad4

SHA256
43613d6ef771c3fcd038b8b510c81cf372bf4c8d42908045f17d959f3b132a79

SHA512
8aa23899417461ec0694d8adfcc9fd88482c0e6ed66af7f5df6159e96dcbab7512dab22031e5a48ae24b76821c5c7fb71888a680dc1e1e38803f25be30b8fd64

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
ece298a4c1a3bdca5bc2bf6cf2ed8c35

SHA1
103f08eeea29f60df38483670456a775f1a8f335

SHA256
66647a428a6b44a1f2dc85d0963b258f223b3118863587fae5083568c670c2ce

SHA512
99b161c3929334f38876b2a9cd656efe6bc11f102c1d1220dffcfea9e3d545cd7d10a30f8132b2e3d0f7e403fad8cccef67be92e86dbc29da28eb590fb552180

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
a5feedb54c1f9fef134147f2f4764b76

SHA1
6ab886766efb1cf1161150bd652ecbbc86ee6dc9

SHA256
4eededc32b8249f5e2cebd03e09d2a6147a4c7e52eed22d73c82b0aad34903e1

SHA512
d93c73d656bb1ca29947d27245b8eecc35f40b0365061bffd4e42e04d2ea321c514e8e406eb15ebdb5b5ce493dab7b7c01b75e99689017225527ba6388234ee3

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
52e8378513c0f294a6ce2e74837b0542

SHA1
88cff897f2f371098c19d300eb64b4bb6e66cbb7

SHA256
9994e45d99756f8e125d26af08d301bce40a3fc0020016fd6b3d2c49f84fcafe

SHA512
a6557ad4882b8adac67d41d00ce0c94787097fe38001ae27803016eab322448b7ce3af801b1ae109946065d3e123f50dd2a8ebb12f75d025d311a20202b9d103

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
96KB

MD5
8ff097d1ab9c25c033d48a1848f72d4d

SHA1
fc1a7c15810709f885ee35eb6438adec6f2bdde0

SHA256
56194b9a79eb543b4e4d32faa272a29538232175737ae4150a9d05586c6555e9

SHA512
27ebc285170e46de7f87e0fc0dfbe4d45110af283b3ece49eaa4bffd35696c94b795e9496c79770dd47496559affe10b23b72d70d0d69bb585f6b631ecbc9c41

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
2bbc941cc80860f9144da13df056b38f

SHA1
57a0dd01200895e92a761ac3f8b4d0743e17792f

SHA256
5af8722b09c115e4b6a4bb7ece6fa347b8ce57e2d72fa803b096bb1e0d55f1f9

SHA512
1eaf9b050336a0c29d987444d193c99c43b8a2829f3ea289cbe55d421fbce12c33e1f594cf7ca9dc9790c619d5e739f0c7fa3c75a4f79d9217f919ec7487e808

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
08dbf05cf78c83f0904b3bb1107576f5

SHA1
fe611a4760b071358a45d7a5e0b17349e52d404f

SHA256
28b2618289c61d7f352a87755bfbf1b16e3dc81fb8bff1c7537758f25f2c0bfe

SHA512
eca5dd27139283276a02e231e703b7d1baadb4f4578fc7e4fc0a740e23ca2a964cf2fa0ed7f5c395426c9a2a0fe498359c1b94e3f62a1c9bee17efb287fcaadd

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
acefa42e7ef9c2a5150e84ecc914a035

SHA1
17abf8fac58439e3d6fca6185c8dbf592b895633

SHA256
58b40aaeeb3129a903771244fac183b45909082a50933850c44b417519d46a1c

SHA512
a8a6eed132c8d1ea2b4de9c2463365bdf5272e1bc18d4e97a8c90a9ab90c8f4022012e7107e44a475de26c250d38b8285266949f69f1ae686bb2abd32b6d16e9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a572f07fa1cf03ff50c46cc8086d92a3

SHA1
50869bc18037b4f8ec706c62f5af23d55faa14a9

SHA256
933f38cf88d59eb8f29bda1ee819943bd270e5af957ce2f301d3a656651b0cc6

SHA512
4b31ee1a1bc22d6447b1f4b45ce1b775231b0bb7c74921c95f7edae687296a3b5a63e21a440e9bf9b09210aa19e0ec391b6ccb9f1834fd62cecdc9a4a7b73df2

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
7f2f12228f79bfc331b93ba579dd1935

SHA1
c427517607626a5f0e668410bec9717645c873f1

SHA256
223f0bee3a097f0c3e2539904f4ce416c6308c88917a581ef1bec3874a3e2bcb

SHA512
c6dcafaaf8e69e15eb946e8d9b6d8d9223726f011a5d3f9b25cb05a904757e30230e53516ea14c0381153904c9df0eeb901580036a5b69e79abb8db71612acfa

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
471c5d968701c111b21f6a8fcc5e9378

SHA1
ab9af2720896f11c516a52686caf78b8ad1c6224

SHA256
817a1bfa6841850fc453b67d149347b06c8e0a7df6f78c4aa91cbb1059ddeb04

SHA512
c8c098e7473071395504ac902b2e5536d696c41b06405f41cf4b856738c0462d2549a3a104aa9b3cf5135dee7046222f68e944c03f3d811f75967474ce7ea385

Download Submit
memory/316-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/316-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/856-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/856-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1384-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1384-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1552-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1552-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1568-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1568-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1612-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1612-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1612-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2912-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2912-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2944-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2944-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3424-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3424-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-163-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3800-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3920-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3920-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4184-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads