0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f

Analysis

max time kernel
135s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Size

165KB
MD5

e46fcc8735e045f992c26158c88e4848
SHA1

0fc78a4adbd8c8e590fb4324507fd41f0129b445
SHA256

0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f
SHA512

9013f0fbed41d4735ad66602eb0f09bdeb3c1021611c8c433f337a0ef413a189ebf48957dcd9a0a51e8ad1b91b874ba164eb1b9fdd0d91bf3e2a7182022bccf3
SSDEEP

3072:WafR2MkiR5xMZ3T3vQfEdArGzHq+egM5bylnO/hZP:WafQMkI5i3bQMdArGzHregqgnO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe

Executes dropped EXE 23 IoCs

pid	Process
4844	Cagobalc.exe
3120	Chagok32.exe
3136	Cfdhkhjj.exe
3348	Cajlhqjp.exe
4848	Ceehho32.exe
1028	Cffdpghg.exe
2496	Cjbpaf32.exe
2060	Cmqmma32.exe
1832	Dhfajjoj.exe
4204	Djdmffnn.exe
1308	Danecp32.exe
2356	Dfknkg32.exe
752	Djgjlelk.exe
2352	Dmefhako.exe
3872	Dhkjej32.exe
1440	Dodbbdbb.exe
680	Daconoae.exe
2432	Ddakjkqi.exe
3680	Dfpgffpm.exe
3224	Dogogcpo.exe
1296	Dhocqigp.exe
1684	Dknpmdfc.exe
1432	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	1432	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4844	4824	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe	84
PID 4824 wrote to memory of 4844	4824	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe	84
PID 4824 wrote to memory of 4844	4824	0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe	84
PID 4844 wrote to memory of 3120	4844	Cagobalc.exe	85
PID 4844 wrote to memory of 3120	4844	Cagobalc.exe	85
PID 4844 wrote to memory of 3120	4844	Cagobalc.exe	85
PID 3120 wrote to memory of 3136	3120	Chagok32.exe	86
PID 3120 wrote to memory of 3136	3120	Chagok32.exe	86
PID 3120 wrote to memory of 3136	3120	Chagok32.exe	86
PID 3136 wrote to memory of 3348	3136	Cfdhkhjj.exe	87
PID 3136 wrote to memory of 3348	3136	Cfdhkhjj.exe	87
PID 3136 wrote to memory of 3348	3136	Cfdhkhjj.exe	87
PID 3348 wrote to memory of 4848	3348	Cajlhqjp.exe	88
PID 3348 wrote to memory of 4848	3348	Cajlhqjp.exe	88
PID 3348 wrote to memory of 4848	3348	Cajlhqjp.exe	88
PID 4848 wrote to memory of 1028	4848	Ceehho32.exe	89
PID 4848 wrote to memory of 1028	4848	Ceehho32.exe	89
PID 4848 wrote to memory of 1028	4848	Ceehho32.exe	89
PID 1028 wrote to memory of 2496	1028	Cffdpghg.exe	90
PID 1028 wrote to memory of 2496	1028	Cffdpghg.exe	90
PID 1028 wrote to memory of 2496	1028	Cffdpghg.exe	90
PID 2496 wrote to memory of 2060	2496	Cjbpaf32.exe	91
PID 2496 wrote to memory of 2060	2496	Cjbpaf32.exe	91
PID 2496 wrote to memory of 2060	2496	Cjbpaf32.exe	91
PID 2060 wrote to memory of 1832	2060	Cmqmma32.exe	92
PID 2060 wrote to memory of 1832	2060	Cmqmma32.exe	92
PID 2060 wrote to memory of 1832	2060	Cmqmma32.exe	92
PID 1832 wrote to memory of 4204	1832	Dhfajjoj.exe	94
PID 1832 wrote to memory of 4204	1832	Dhfajjoj.exe	94
PID 1832 wrote to memory of 4204	1832	Dhfajjoj.exe	94
PID 4204 wrote to memory of 1308	4204	Djdmffnn.exe	95
PID 4204 wrote to memory of 1308	4204	Djdmffnn.exe	95
PID 4204 wrote to memory of 1308	4204	Djdmffnn.exe	95
PID 1308 wrote to memory of 2356	1308	Danecp32.exe	96
PID 1308 wrote to memory of 2356	1308	Danecp32.exe	96
PID 1308 wrote to memory of 2356	1308	Danecp32.exe	96
PID 2356 wrote to memory of 752	2356	Dfknkg32.exe	98
PID 2356 wrote to memory of 752	2356	Dfknkg32.exe	98
PID 2356 wrote to memory of 752	2356	Dfknkg32.exe	98
PID 752 wrote to memory of 2352	752	Djgjlelk.exe	99
PID 752 wrote to memory of 2352	752	Djgjlelk.exe	99
PID 752 wrote to memory of 2352	752	Djgjlelk.exe	99
PID 2352 wrote to memory of 3872	2352	Dmefhako.exe	100
PID 2352 wrote to memory of 3872	2352	Dmefhako.exe	100
PID 2352 wrote to memory of 3872	2352	Dmefhako.exe	100
PID 3872 wrote to memory of 1440	3872	Dhkjej32.exe	101
PID 3872 wrote to memory of 1440	3872	Dhkjej32.exe	101
PID 3872 wrote to memory of 1440	3872	Dhkjej32.exe	101
PID 1440 wrote to memory of 680	1440	Dodbbdbb.exe	102
PID 1440 wrote to memory of 680	1440	Dodbbdbb.exe	102
PID 1440 wrote to memory of 680	1440	Dodbbdbb.exe	102
PID 680 wrote to memory of 2432	680	Daconoae.exe	103
PID 680 wrote to memory of 2432	680	Daconoae.exe	103
PID 680 wrote to memory of 2432	680	Daconoae.exe	103
PID 2432 wrote to memory of 3680	2432	Ddakjkqi.exe	104
PID 2432 wrote to memory of 3680	2432	Ddakjkqi.exe	104
PID 2432 wrote to memory of 3680	2432	Ddakjkqi.exe	104
PID 3680 wrote to memory of 3224	3680	Dfpgffpm.exe	105
PID 3680 wrote to memory of 3224	3680	Dfpgffpm.exe	105
PID 3680 wrote to memory of 3224	3680	Dfpgffpm.exe	105
PID 3224 wrote to memory of 1296	3224	Dogogcpo.exe	106
PID 3224 wrote to memory of 1296	3224	Dogogcpo.exe	106
PID 3224 wrote to memory of 1296	3224	Dogogcpo.exe	106
PID 1296 wrote to memory of 1684	1296	Dhocqigp.exe	107

C:\Users\Admin\AppData\Local\Temp\0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe
"C:\Users\Admin\AppData\Local\Temp\0922be9c63ef65f787f6ad6f9bd6eddd5ac63abda159c259ec1df8beb106aa8f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\Cagobalc.exe
  C:\Windows\system32\Cagobalc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\Chagok32.exe
    C:\Windows\system32\Chagok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\Cfdhkhjj.exe
      C:\Windows\system32\Cfdhkhjj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 404
        25⤵
        Program crash
        
        PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1432 -ip 1432
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
165KB

MD5
54563792a4dc2414addc35728e42027a

SHA1
e945d3ea6839b2ec0e8634c9a59af1ef38477bf6

SHA256
76099c3778b371d9e0eda34537defb2972c42ae5d8b179a55e711b499e7227e1

SHA512
64016eedf0e25af22f4e16b9a5a26f45ef656f32c805b0afa63776670010e6f0545429a5cc475b2e8569c435a84af15a7ac101d4456f35884f632bde5bf7b260

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
165KB

MD5
8cd96f2df6d652e9292dfc7ba02a096f

SHA1
08739d03a19747fe85eed81eddb1d7d2d31f1721

SHA256
5b2f675bb317ee7d4dbcb5a0e60179c9245e0b6c7c7b00d3a278708aeef35038

SHA512
1bc65a400c2c5e5fd350cc8046efc1d8e86884e59825016db0dd01a0bdde80efd0dcf888b42017316f3d042dcc7bb0d91b5eadf70e82a4e2333c464650dc2419

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
165KB

MD5
c6a722c38b4b07d7bfbc36223f8964e2

SHA1
5d1796160419fe884968f52da6bed5ecfb4d0399

SHA256
b3b56e75344762fa2088bb9c7c4188a2c1fe50e1395157e2c86638cf86b80b6a

SHA512
5cfc71b241a72ff9d00f15edcbfe92c143cf7276a7e54e7f38d8348f425f404442d577a389f33ecfd0e5657b4156b38e4b9404e821032be2907594782b3b278a

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
165KB

MD5
ad757ef5ff46a02f2fa79dabde0b647c

SHA1
36b16e58ebc535fb57cfdb0956b036b2a0b3fc49

SHA256
c8d00a49eae0a9a1878b35c5fff9f91e933eae790a09cdb3f6b38576bcf22c0c

SHA512
05acff0f317782acecb9833cd092375dc4f6236b1478a5c7baf257f9cba987a0ae416a55cabcf2ab55a4c85a9d46fbdb7df2f5067bd7a9d1e69e30605bb5052f

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
165KB

MD5
89aa7134f5e22ae81b4aaf5ba64d7ce4

SHA1
be4a7532b0f09aaad5655676b9d6a38bfe2f0d1f

SHA256
030050408755355d50b2eb33eacfeb03f48ba003664772969530f89b852f52ab

SHA512
befceaf1efbdcef586a6c84c73f2f6a0a4800b701c4744fb5e800e2f0a33e5dd5e572a0cc4cab8029d7526b7d3f52d64e5c8b5e1c8ede9c84aa77b7fe7bd0e52

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
165KB

MD5
9226dbe83a27a0ba4c5b54c20c18d2ed

SHA1
10604073a34d7eb1e7cb305fb630c6fa10f0849b

SHA256
c4766134abef989ef005416862bec458b0038ff371cb251cf0e8f2cb7b8800c2

SHA512
9524dd8066febb0a1ddc5306d49e292583b7f1afb16b0fb27ed1bf67c45bc70191e7ff8849bace603eaf20f09864df3cbe1f4889a4fab971ccac2fd31c2b6786

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
165KB

MD5
fb6aa78c94cca825584ab3fe2425a982

SHA1
4dbff45ae299fe3a603be9acdd2f7a489c15069d

SHA256
8d2a89bf7b761fb9d1d09e37e7d96917c746173441c50562eca90ce682a3ad72

SHA512
b6d62b89772b4ef54aba7ce3f705a7e84e7304df58638cf2f49ccdd5fc809054e4c81bcc7f2f3218b2600eeeacc837e6d6407f7988c6ff88c8b2949174af894a

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
165KB

MD5
8418304d35bba3fb8cf8d6fdf72a936f

SHA1
051259d730d436a98fe47ffa8040e8ab88fd3368

SHA256
2797b2e4cc0e8243b687d02eccddbc12474785fb02e6114874a99ed060dc9338

SHA512
99c09f5f0750702453e012b37580fd94c2e71da4f59736819aa11356bf5af1ffda0f7a1ca154d21e5c07362b3d839faf909e7321299b477d39e1ad9334f0761a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
165KB

MD5
17cf2e9da076d75a5a6405fa5c50208e

SHA1
1feb7928823fe28e40082f4ff870d2503b0c5489

SHA256
ea19b6743181de36a9ddc92439f6b60cbd60ef0ea91c87a97aef9336c9fa3ce2

SHA512
2f5257536cc7e304da7092c8f9e06b2f3f9c8c205f5262f54e30dc25da3a7c934d52957c4864143cb43f3fffbdd8c283cf12cc83430e7d5571b9e29caffbe68a

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
165KB

MD5
c78dbf7f43cc3ba5fc2181d14c053e3a

SHA1
fc2d684fde8d7d3e57e72fd370d541b488b2f53c

SHA256
4fde696b3150f5c2082d189d3e669846d7fd46182ba4bb335f1a6a0e8751f563

SHA512
329d136fe333b8fa5ca1826615fa3e136f30077817dbf41065a1bd9f8773dd0cd4b466f5440cd3f2d10531ffe8ffb009181c421fd286e550eaff9faddb922c59

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
165KB

MD5
2854bf5795f387b2e9295b783a5f2136

SHA1
9d3154a007a4efcebb9f9eb9c5ff597a4c517f59

SHA256
bb88030b210455e0f434498abf905ece68da74a328982dbeb933e26f626c8f0e

SHA512
b6206334177f487d9ca7cce9bf769dca24b3990a788606e36a90fa043308236ff85a189a43a1788484416890d0aa7bdd1ca73a3fbfc9dbbe52ff00652d46f979

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
165KB

MD5
5f0d63f3676d588a8e821a36a462800a

SHA1
a3406ebddac4f991bea67ef5d203ac961b773172

SHA256
889fa2147dbea382c7bed7a9d1c139de12a500086a62476069fff782ba770393

SHA512
e55d4f47316b12b7913c4b40d94c9bcba73cc88d10de7cf85acda15991c1d2b59f322d5a08fb8b2c62f46b4bc5cd5b2b4f316f9dd090dd50c8033323209580ca

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
165KB

MD5
7886f2d65ae80abaabcb5ffdee6fcba8

SHA1
b58dd907096ead3803b29c4bdba331a26d426b33

SHA256
b1aa2707320b3705324ad172cc680295214753cdfb54074a41612d183d9780f8

SHA512
9a881e7a815ae22d178eafd4eba23a8d2a908b393ede7f9ee87e4d265b1579b613e5e35e86610c5a0d796d8910325bf78477905cc68f9ba422d216baaa87c829

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
165KB

MD5
a2d7f2b6b7ba2010a42a9070e4d9b82e

SHA1
5782b1ade2d6d239f72384269318b98e4ae27eab

SHA256
5d7a015a0ffa858aa349cc2747258f834e6b622e02c8cf37188f019143b832fc

SHA512
b4c6996dea768e9591ecad23e31416ac103ca1647c6eaced64879f45b2f86ff083eef8023466482692238228526fa87a95d7e865c1d2015e8fad20c8d614b6fe

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
165KB

MD5
e6713134b4021f9e93eeba99c9e487b6

SHA1
b252b2ac621c233d3ee09d1a9e8c3a47f2afde12

SHA256
b0aa60f5b5fdd35b8601fb4aa8b48b3a3661c698ec49167f29d5b2303a91f9ea

SHA512
9ec836da03a8fc33066f42b6187e94043c59e8c09334014249798b79f5cd4b1cd9a1783bcdbe548e3b3cb67c4a84099a4bddc885a0034030853cfbb544bb4dfe

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
165KB

MD5
d2c6f472a58df1904348a6d1bcb73c5f

SHA1
e14e9b59572ec8e37d528d75e9662d5b9eed8a65

SHA256
bd061dbbf47aa8de7a5031d90bba21b6059fb2380a01836d267c0ac17c9c1e6c

SHA512
9d0ac3b3e78711c7bf6d281a719ecf796044ec709aa6f7c9a716474e363a148503a6656ba1cbcb4beab90c9587ae5da154bf1df6a9bcb0eebf544fc552501625

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
165KB

MD5
baf6c98de2c91f4325a5b15d9e5abc5a

SHA1
ebc5cededd21509fa5a02052685439c71b0d2d85

SHA256
f2238d1d27bdef0fdf64a250934447cb55d5f0e7bf3faeab4ea8395f9442407f

SHA512
9ca47cdd3ff74e78297ba538ce790919e8a05c80778f201768d331d6dc8081496cadeb3a2092791e7538092f0f04b7fad911672ce4a1af5cf77725c15b17a812

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
165KB

MD5
cb96c2e65c2f1b349447e82215776393

SHA1
c637e3d4f1fa94cb32132df0e0b919536ad6a757

SHA256
4bb6d935a7189428a27eaa0f03be7f073c9e275feabe22d4c31a665946fa4ce8

SHA512
4e6564e054545a7859eb98e550526aac58d936a633e657bf7065f94a998296dee5311e8e19bee2cbb262dcba5a846b8abee25dc5c59c32e20bc0431d48cb6cc5

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
165KB

MD5
77ec0e3a5034e27c552fad185e2264c4

SHA1
a3cb222a27e8946a3ae8ed3c517248e6af7761ca

SHA256
6ca0e63266d9a60444508e726262b288ca6aed418d0a9d11290f68d8051215a3

SHA512
b432c0575226f41729ee52684d70675a89b808da05d1cee25a41938b30b76bfc9a1eb1ea16d7bab59d1710af90ce0bc361b65f5710dbdb8107d5604c212488fe

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
165KB

MD5
823791251b9c6a71c3a7da29cc795c8b

SHA1
1d139cb4e939c39fd2b33eac2fd3d94163b366f8

SHA256
856dac3bf83f47d2cd9b61d7482232dd5d243553aacef6318b0e8f3ae2b79b1d

SHA512
2ed54d72c2503d8d2065a0d4fb9c562db0539fa63afec8f2f806bb390da22dde48559a7146c47c4b8e7f10b4360309a690d2cd12b74f5ccb7cb199863438b6c8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
165KB

MD5
0da7c0d995fd5fd2ab573ca93bd320b6

SHA1
c300829270b56acb4241602feb81d3f0975c8419

SHA256
5b51e1b31fa3997ab662e5f63dceb01ce54fb3042349eafa9a24b659697deae0

SHA512
9f6bc8b46c29028f34a7032bf81ca55e7f8dbbc322f0c4e519e156093adb560f262637ff3b9c20571664edbd1be2f395bf67f31d61886972bb9451ae5cf4f577

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
165KB

MD5
e61fbd5f98e3624ccd12cc524715a735

SHA1
c72a86c4c9fddcdbd1784756cce4340a0072345d

SHA256
df8c93a147f27df802ca2da40dcefa9071a7ecade13a3a460b37aaef7f7c4ecb

SHA512
ca7142b2a7e5e45f6145bc67af2b8ab6421d264c4e45704eeeaf3ae68e3d7e17d618985476e5bb3a3a01d54f316377d4eb22722a5c480877c43f6386c6cdf81b

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
165KB

MD5
56d38c7dd58378c28f942977cf9a9281

SHA1
897a2bcffcee8f6a16bcbcdfb1ac7a5909ba00ca

SHA256
190df3bcb37f0a86e89fab5ea81566b12cbf66b350d228d57fe61bf41deb5bc4

SHA512
fb41a74e34da6933acb4b5ab850656026cf51e3d8616691c18b6a85db4c0c06ef35f3de4562a997a51d0d58ca90ab2f54210d2cd33449cf20ebe0e72957d4e83

Download Submit
memory/680-199-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/680-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/752-207-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/752-105-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1028-49-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1028-221-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1296-168-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1296-191-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1308-211-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1308-88-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1432-185-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1432-187-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1440-203-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1440-129-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1684-189-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1684-176-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1832-215-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1832-72-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2060-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2060-217-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2352-112-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2352-205-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2356-96-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2356-209-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2432-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2432-197-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2496-219-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2496-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3120-229-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3120-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3136-227-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3136-25-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3224-161-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3224-193-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3348-225-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3348-33-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3680-153-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3680-195-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3872-121-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3872-202-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4204-213-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4204-81-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4824-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4824-233-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4844-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4844-231-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4848-40-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4848-223-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads