0a69699a7078fa61ec75d0ac03570747471ff67f230c317b7f66749b9c95bd28

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba60f197ef62ff76808e860065015cd0N.exe
Size

94KB
MD5

ba60f197ef62ff76808e860065015cd0
SHA1

0bb07ea80628cad4b287696127633444a9ff285e
SHA256

0a69699a7078fa61ec75d0ac03570747471ff67f230c317b7f66749b9c95bd28
SHA512

eea3062891a1ea7b1d86ab6cc1065e033935478d2678d5577d3e127e8d16e0d1f0c39b1a3d3ff228ed26568d943bc2a14c3f4370b2a469895de9ec230d2724d7
SSDEEP

1536:xiioc0zvavPYcv2HeM6JdpNhfhOunWB5LPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9N:xboNavPnke5pNhRWfjH6KU90uGimj1iZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ba60f197ef62ff76808e860065015cd0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ba60f197ef62ff76808e860065015cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe

Executes dropped EXE 20 IoCs

pid	Process
2980	Dhfajjoj.exe
3420	Djdmffnn.exe
224	Dmcibama.exe
4532	Danecp32.exe
4252	Ddmaok32.exe
3680	Dhhnpjmh.exe
4276	Djgjlelk.exe
2676	Dmefhako.exe
3176	Daqbip32.exe
4432	Dhkjej32.exe
5068	Dfnjafap.exe
2968	Dodbbdbb.exe
3992	Deokon32.exe
3980	Dfpgffpm.exe
4028	Dogogcpo.exe
4904	Dmjocp32.exe
3812	Dddhpjof.exe
2068	Dhocqigp.exe
3228	Dknpmdfc.exe
3160	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	ba60f197ef62ff76808e860065015cd0N.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	ba60f197ef62ff76808e860065015cd0N.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	ba60f197ef62ff76808e860065015cd0N.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3216	3160	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba60f197ef62ff76808e860065015cd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ba60f197ef62ff76808e860065015cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	ba60f197ef62ff76808e860065015cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ba60f197ef62ff76808e860065015cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ba60f197ef62ff76808e860065015cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ba60f197ef62ff76808e860065015cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ba60f197ef62ff76808e860065015cd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2980	2028	ba60f197ef62ff76808e860065015cd0N.exe	84
PID 2028 wrote to memory of 2980	2028	ba60f197ef62ff76808e860065015cd0N.exe	84
PID 2028 wrote to memory of 2980	2028	ba60f197ef62ff76808e860065015cd0N.exe	84
PID 2980 wrote to memory of 3420	2980	Dhfajjoj.exe	85
PID 2980 wrote to memory of 3420	2980	Dhfajjoj.exe	85
PID 2980 wrote to memory of 3420	2980	Dhfajjoj.exe	85
PID 3420 wrote to memory of 224	3420	Djdmffnn.exe	86
PID 3420 wrote to memory of 224	3420	Djdmffnn.exe	86
PID 3420 wrote to memory of 224	3420	Djdmffnn.exe	86
PID 224 wrote to memory of 4532	224	Dmcibama.exe	87
PID 224 wrote to memory of 4532	224	Dmcibama.exe	87
PID 224 wrote to memory of 4532	224	Dmcibama.exe	87
PID 4532 wrote to memory of 4252	4532	Danecp32.exe	88
PID 4532 wrote to memory of 4252	4532	Danecp32.exe	88
PID 4532 wrote to memory of 4252	4532	Danecp32.exe	88
PID 4252 wrote to memory of 3680	4252	Ddmaok32.exe	89
PID 4252 wrote to memory of 3680	4252	Ddmaok32.exe	89
PID 4252 wrote to memory of 3680	4252	Ddmaok32.exe	89
PID 3680 wrote to memory of 4276	3680	Dhhnpjmh.exe	90
PID 3680 wrote to memory of 4276	3680	Dhhnpjmh.exe	90
PID 3680 wrote to memory of 4276	3680	Dhhnpjmh.exe	90
PID 4276 wrote to memory of 2676	4276	Djgjlelk.exe	91
PID 4276 wrote to memory of 2676	4276	Djgjlelk.exe	91
PID 4276 wrote to memory of 2676	4276	Djgjlelk.exe	91
PID 2676 wrote to memory of 3176	2676	Dmefhako.exe	92
PID 2676 wrote to memory of 3176	2676	Dmefhako.exe	92
PID 2676 wrote to memory of 3176	2676	Dmefhako.exe	92
PID 3176 wrote to memory of 4432	3176	Daqbip32.exe	93
PID 3176 wrote to memory of 4432	3176	Daqbip32.exe	93
PID 3176 wrote to memory of 4432	3176	Daqbip32.exe	93
PID 4432 wrote to memory of 5068	4432	Dhkjej32.exe	95
PID 4432 wrote to memory of 5068	4432	Dhkjej32.exe	95
PID 4432 wrote to memory of 5068	4432	Dhkjej32.exe	95
PID 5068 wrote to memory of 2968	5068	Dfnjafap.exe	96
PID 5068 wrote to memory of 2968	5068	Dfnjafap.exe	96
PID 5068 wrote to memory of 2968	5068	Dfnjafap.exe	96
PID 2968 wrote to memory of 3992	2968	Dodbbdbb.exe	98
PID 2968 wrote to memory of 3992	2968	Dodbbdbb.exe	98
PID 2968 wrote to memory of 3992	2968	Dodbbdbb.exe	98
PID 3992 wrote to memory of 3980	3992	Deokon32.exe	99
PID 3992 wrote to memory of 3980	3992	Deokon32.exe	99
PID 3992 wrote to memory of 3980	3992	Deokon32.exe	99
PID 3980 wrote to memory of 4028	3980	Dfpgffpm.exe	100
PID 3980 wrote to memory of 4028	3980	Dfpgffpm.exe	100
PID 3980 wrote to memory of 4028	3980	Dfpgffpm.exe	100
PID 4028 wrote to memory of 4904	4028	Dogogcpo.exe	102
PID 4028 wrote to memory of 4904	4028	Dogogcpo.exe	102
PID 4028 wrote to memory of 4904	4028	Dogogcpo.exe	102
PID 4904 wrote to memory of 3812	4904	Dmjocp32.exe	103
PID 4904 wrote to memory of 3812	4904	Dmjocp32.exe	103
PID 4904 wrote to memory of 3812	4904	Dmjocp32.exe	103
PID 3812 wrote to memory of 2068	3812	Dddhpjof.exe	104
PID 3812 wrote to memory of 2068	3812	Dddhpjof.exe	104
PID 3812 wrote to memory of 2068	3812	Dddhpjof.exe	104
PID 2068 wrote to memory of 3228	2068	Dhocqigp.exe	105
PID 2068 wrote to memory of 3228	2068	Dhocqigp.exe	105
PID 2068 wrote to memory of 3228	2068	Dhocqigp.exe	105
PID 3228 wrote to memory of 3160	3228	Dknpmdfc.exe	106
PID 3228 wrote to memory of 3160	3228	Dknpmdfc.exe	106
PID 3228 wrote to memory of 3160	3228	Dknpmdfc.exe	106

C:\Users\Admin\AppData\Local\Temp\ba60f197ef62ff76808e860065015cd0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba60f197ef62ff76808e860065015cd0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Dhfajjoj.exe
  C:\Windows\system32\Dhfajjoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\Djdmffnn.exe
    C:\Windows\system32\Djdmffnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\Dmcibama.exe
      C:\Windows\system32\Dmcibama.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 396
        22⤵
        Program crash
        
        PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3160 -ip 3160
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danecp32.exe

Filesize
94KB

MD5
3e32a49b8e97797262655d532e4b9200

SHA1
307ce80d4654448a1b736fe3e9344fc263e41e3c

SHA256
86d232b3799c1630621b6439fe407f2cccb771b0cddb58704f3722eacec49e76

SHA512
0dcffb38ed7c19978079689ccca791e93d8e01e711cbec6993a36851c460c5443f5eeea16e884ac96aee268e738404671dada130a6203af014b57e4c09f42f31

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
94KB

MD5
c35b2e7ded3ad9b57967b98198b12691

SHA1
f5414c71c45f6a0acf4445595f7030dfb21f1710

SHA256
81d581058d5ec3a8f810b8dd10726726df69b5a2da339cd9a7adf28074f8d40e

SHA512
3718619d7c49a417eda6a2ba15dd39a41e6697dd1df3dd5e72803a05f070b9ba6f0c7226683bfb27432ab89e67354ea4f2463e057c18e9b989c5f3b95981a223

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
94KB

MD5
e964ee1a69853746ff3ff13fdf9cace9

SHA1
6b117141a9dda083d662bf7826dad82de3ea9e0f

SHA256
c3a0c2a9dfad9340da81d3c7665485481a8fe60655d14637e93208ba9f44b338

SHA512
0c7f1670f0efdafcc13a86e0b73a0b4f54064a25dcb6f2231c6729f1f050724989f89c9e5eef3335f0614c113ee13863b6f4f864923eb133c0a3fb3a91223b48

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
94KB

MD5
6ef1347d0ab680c0b5b32eef339e672b

SHA1
437eae868f2b85eab0fc740e103bc01fd9167cc7

SHA256
0f4f71582b11bd69b6b575e46d1363fffbcf3fd1bf1bab1bf931696caee48572

SHA512
2cc812e17576e100cea2b4900ce59f38b0ec49b07ceff9318628bdb3f97ab77c2cd604ae8f9b5a2708d5b05d9f9c0409b14d4c296b42ec6ce5c81013616c3c68

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
94KB

MD5
d013bc6994761dc38e66b81e68747c46

SHA1
b21ff7f2e27351e64e39f59c3a542af92db1f5e9

SHA256
5860f33ae7c7e4a05a5651a93a8102c3cbbf3d848fd2506003ed4dd679161cb5

SHA512
f8eed89334887631757175e86f6b38018ebbb4b47ff2d6e5574c78381c4b4c16dc0989b138189244e96910f60aef6c92da63ec6547a2e107dd7c54617355fd6c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
94KB

MD5
979962f5ecd403dc775767e0f008747d

SHA1
7b2358377cc8ef0c22c08dfc3b8569202c484fa4

SHA256
8b75f56b40c6ea836656d10e61326d8cd7876a0bce9a0364d07f91740d1a7a21

SHA512
3de96afaf5792d4defdca27b6db8fd8d2639089dc1d935bbf2fd4ab9f8f59c47fb353b1b95e40285eea587b2f7ea233416f529319588f433e10a9f1b42ce0957

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
94KB

MD5
73a251762d7426091f9c89121dbf8680

SHA1
28046b4aeac4c374afa4580bab000d080f988002

SHA256
e7c3c2fbc4df03ce6fd62d37203fcfeb388fbdea8d751450b8417f0195913e76

SHA512
bc05053d60a90d5a302334de64133ea5ab1949f0b4fd7ca7db1af40657ca64a099145944699d52812abe93151f5b96873ba0ecaae7d16ebb1eaabbdeddbab518

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
94KB

MD5
092ec7311ca07f80163601eba94250f3

SHA1
5ead055896bb8b546dcc0e2bc85b4b0aae5ee88f

SHA256
73227823abad510e2d9b5a87b1df7728c6cb5d1446f30d7b81f9c7c064e0470a

SHA512
129fed7c78776980bd12538b4b8a45038194841b1f8b239c824be3b387dafd8445b9881f0528ea6906397b6fe3e515ed5d5c2038ea91460d0b5606f11e798808

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
94KB

MD5
0939f91d807f5a5d22aeae59884790b4

SHA1
5f3b3104207788ed1459ccf4f1ed20bd763bebfb

SHA256
06eb9db3f1f1afd6626339671a0e1287f3a45733868be8dc970c14c3093c1eba

SHA512
9ab3dafb2a2497702f2deb3cea26e5322dfb5d08d5847f451ae68ed42ba47d6966c2a5f0a727ef5f1f0ba8066dffacfa1438024695c71ce5d203e14caf7e3624

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
94KB

MD5
8b452cf7ef6fa5f5a8117fe72572ba7d

SHA1
e42647a9266d9008b7ba1f476b32f6e7638335e0

SHA256
c970b25b7dd6a1e7d288d392e7f33011518db9ce3459a3ae2b19db9e0fb80297

SHA512
f9f78a628317131f9cb36b48f526a8c188647bf103f69b42a6f54e610c93f3dd92fcef86c3cf10bb959ae34647cba3fe4cc760900c5cfd76c1a26656bb7122b6

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
94KB

MD5
897c185726822d69a5adffb7f977d23d

SHA1
4bb5991439701ae5f753add8cb11b8ddc6e65cf4

SHA256
4caf1df239912d8fc20b909d35ddea7e743cef3163d08a92a99e0454a3e3cfb8

SHA512
98b6cb32af255dc88020da0c1cba98823756cd12422826e611a96ec43bf116422e1d643a9d4d79d9dba2134abc9edbf1eea60c124ecb12c0a76175ba723ef8d9

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
94KB

MD5
3129163efc67134e42bd5a59fe2adeea

SHA1
1dbe6a85eca7d9785ff60199b4a48cc34ace3c54

SHA256
c5f6c2c173c53f169faef1cad85c46fcc6b12af244df1d51b940424ab8f561a3

SHA512
cb3529f16054559bc1d3e79736bfa7efec7779c2e6f3addf2ccf83aecc9489ffdb955abe836bb019d96bff52b4bce408f16a70f46b11634bb571d49f7053a57c

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
94KB

MD5
fb496ce9640bbf0015263f0900d7b940

SHA1
aa75593e50c397830d09d1ce8d4b8aae844f12d5

SHA256
b44b08c8d74b125ec1e68b7b5f841ffcf6b60803ff1cb7b1d834efef37099773

SHA512
6cc193be15d4ed28ec79cc902bca1b19236c5574c2324e332ca990d5caa01fecf268a0cf08faf474763494b233f59430916818fc658254e483072cd866f7f4a6

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
94KB

MD5
585b5f1c214c6d51b3370f89f91c16fd

SHA1
54df2e8b27ed042fcee76dbb9488ab81f33afb7a

SHA256
8557946a0a0a59fdc2f11671437dbdac68c90ada6988579e7ef939631406b940

SHA512
796c9687a24ead5452de6cb9b3b9acdd7a101c7df15db645a51b52b6f14335beb116ff5a9ea94419113be2a39131e87c3f73400231af351b88c0c205e6232b85

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
94KB

MD5
b62285b7c729effd2c38cb3855004f20

SHA1
fa25978982d30708caca90d328a87356e135b381

SHA256
9558961a6e9ac5470e5ad403cf87b3e041a688c2e06cc6f583e0053a72d1d5a6

SHA512
d97eca9268149388ffc30904117f83d605b5b83a5c25bdbca49ee093447d08afa34ae853a8fe0ef204b17278f8670574f1e54099d70d8dd14438c789b1792926

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
94KB

MD5
fd89f29d71a2b0f9de23c1eaf7823228

SHA1
b76eb623f42ff19d27c0e3b59d781bc2650cc6e6

SHA256
f84b215ac6455f6db7084862a038a52437c7171c5b17c73bf3bf1d01fc33339e

SHA512
dfaeef8cfc57b5ecd77f90119705d2dc560ae2a043fde8b20aeb9d8170499cc8f4017d652be2d79b72edf27fd0fe3d40289d4e0a488ff6e973c7c07a61e12e81

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
94KB

MD5
fde5d5e4b07e788887e5c64b8c79fe39

SHA1
143fe1351a17888200435a44b1437f79fc004e83

SHA256
7be7f980152a027805d9d7cc2c98cc7068a9b4025d087f9c6a77b4853ecdd3d8

SHA512
3ed8de69498e3bfb6e922b4c88f2a2a81647a748d79b03e480fd2da824e6acf4c9fb567a5d4dcd6cf3cf5bb333f37a6d189c98e429bfa0aa5efdae45ff4f191c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
94KB

MD5
2f99e49faeda75d6c1e29ec27f07c395

SHA1
da6afdf4c455ca022b52be63a954db7178245d6d

SHA256
b07d152192d1d65f8a68653c0579a15683c218c11f19eaae071e6439d07d91e4

SHA512
8e0015a6192c0461e36952b6c6fac2f34264080e87970fc0f03ae2340fa6faef800f48a82586449e0492336ed308d79551c1bc02141fd9df138f65c9933feb28

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
94KB

MD5
53569c50f0d7b600e6c2728147d8bc0e

SHA1
4866e967955b5c74c20e09e636ae0024b32f8f7d

SHA256
06e81531a6ecc51496716b54dac8ae0db1ea6d57695a3516fddd212b68ae9b22

SHA512
6ab9f81bb3138ce3a8c7da7a9e3a7954f77855d0dd0d067450937293ed4ed57be87e675890fda6c0f9e8d948230d43d37c65a09ee03f2b731674913c9f045a08

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
94KB

MD5
96f2fab9585c3b145cd78fed1158fd01

SHA1
8b9b87d19ec54014547658732bf75f5514e8bb92

SHA256
a9c3f1486388427208e9b68d753ac296339b3fe695d771dfb1360657ec82b139

SHA512
7c882dc04db6ad8710e2c5a1e93e3eff4680e346ca07aa06a8668409e2f5aea44522386f8765ed000467dc0443a2dd666ba3c08894f6dec74f99ae1509262877

Download Submit
memory/224-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2028-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads