587bc95a96c2a49b70d11c286b32c7ef3795a62bbb1d067d05be78f5481be3eb

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccec6c1a26dad4e86b05d00452320b40N.exe
Size

94KB
MD5

ccec6c1a26dad4e86b05d00452320b40
SHA1

3f3fdf7d6bb0e385aebf39b6d77dc6159f4a0503
SHA256

587bc95a96c2a49b70d11c286b32c7ef3795a62bbb1d067d05be78f5481be3eb
SHA512

4b773ae6ae36b739de9f961532c9916c1d80209c8c19579ba52fb9dfad94072a8bfc55f407b66d7f09152e5534e16c36100aac51826d95222e5e8f04620a016b
SSDEEP

1536:tG4e1k31ALqsrUoAUvUIv6SI04aIlsf4lANuAie6wWVLPHq39KUIC0uGmVJHQj1g:04iDUdUvUIv6SI02lfCCwWVjH6KU90uT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ccec6c1a26dad4e86b05d00452320b40N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ccec6c1a26dad4e86b05d00452320b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe

Executes dropped EXE 22 IoCs

pid	Process
4236	Cmlcbbcj.exe
3284	Ceckcp32.exe
3568	Chagok32.exe
4424	Cnkplejl.exe
3528	Cajlhqjp.exe
3576	Chcddk32.exe
4336	Cnnlaehj.exe
5016	Cegdnopg.exe
5048	Dfiafg32.exe
1924	Dmcibama.exe
60	Ddmaok32.exe
1532	Djgjlelk.exe
2720	Daqbip32.exe
1864	Dhkjej32.exe
3720	Dkifae32.exe
232	Dmgbnq32.exe
2384	Deokon32.exe
4388	Dhmgki32.exe
3992	Dogogcpo.exe
3392	Deagdn32.exe
3792	Dknpmdfc.exe
2768	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	ccec6c1a26dad4e86b05d00452320b40N.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	ccec6c1a26dad4e86b05d00452320b40N.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	ccec6c1a26dad4e86b05d00452320b40N.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2556	2768	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccec6c1a26dad4e86b05d00452320b40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ccec6c1a26dad4e86b05d00452320b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	ccec6c1a26dad4e86b05d00452320b40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ccec6c1a26dad4e86b05d00452320b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ccec6c1a26dad4e86b05d00452320b40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4236	4680	ccec6c1a26dad4e86b05d00452320b40N.exe	86
PID 4680 wrote to memory of 4236	4680	ccec6c1a26dad4e86b05d00452320b40N.exe	86
PID 4680 wrote to memory of 4236	4680	ccec6c1a26dad4e86b05d00452320b40N.exe	86
PID 4236 wrote to memory of 3284	4236	Cmlcbbcj.exe	87
PID 4236 wrote to memory of 3284	4236	Cmlcbbcj.exe	87
PID 4236 wrote to memory of 3284	4236	Cmlcbbcj.exe	87
PID 3284 wrote to memory of 3568	3284	Ceckcp32.exe	88
PID 3284 wrote to memory of 3568	3284	Ceckcp32.exe	88
PID 3284 wrote to memory of 3568	3284	Ceckcp32.exe	88
PID 3568 wrote to memory of 4424	3568	Chagok32.exe	89
PID 3568 wrote to memory of 4424	3568	Chagok32.exe	89
PID 3568 wrote to memory of 4424	3568	Chagok32.exe	89
PID 4424 wrote to memory of 3528	4424	Cnkplejl.exe	90
PID 4424 wrote to memory of 3528	4424	Cnkplejl.exe	90
PID 4424 wrote to memory of 3528	4424	Cnkplejl.exe	90
PID 3528 wrote to memory of 3576	3528	Cajlhqjp.exe	91
PID 3528 wrote to memory of 3576	3528	Cajlhqjp.exe	91
PID 3528 wrote to memory of 3576	3528	Cajlhqjp.exe	91
PID 3576 wrote to memory of 4336	3576	Chcddk32.exe	92
PID 3576 wrote to memory of 4336	3576	Chcddk32.exe	92
PID 3576 wrote to memory of 4336	3576	Chcddk32.exe	92
PID 4336 wrote to memory of 5016	4336	Cnnlaehj.exe	93
PID 4336 wrote to memory of 5016	4336	Cnnlaehj.exe	93
PID 4336 wrote to memory of 5016	4336	Cnnlaehj.exe	93
PID 5016 wrote to memory of 5048	5016	Cegdnopg.exe	94
PID 5016 wrote to memory of 5048	5016	Cegdnopg.exe	94
PID 5016 wrote to memory of 5048	5016	Cegdnopg.exe	94
PID 5048 wrote to memory of 1924	5048	Dfiafg32.exe	95
PID 5048 wrote to memory of 1924	5048	Dfiafg32.exe	95
PID 5048 wrote to memory of 1924	5048	Dfiafg32.exe	95
PID 1924 wrote to memory of 60	1924	Dmcibama.exe	96
PID 1924 wrote to memory of 60	1924	Dmcibama.exe	96
PID 1924 wrote to memory of 60	1924	Dmcibama.exe	96
PID 60 wrote to memory of 1532	60	Ddmaok32.exe	97
PID 60 wrote to memory of 1532	60	Ddmaok32.exe	97
PID 60 wrote to memory of 1532	60	Ddmaok32.exe	97
PID 1532 wrote to memory of 2720	1532	Djgjlelk.exe	98
PID 1532 wrote to memory of 2720	1532	Djgjlelk.exe	98
PID 1532 wrote to memory of 2720	1532	Djgjlelk.exe	98
PID 2720 wrote to memory of 1864	2720	Daqbip32.exe	99
PID 2720 wrote to memory of 1864	2720	Daqbip32.exe	99
PID 2720 wrote to memory of 1864	2720	Daqbip32.exe	99
PID 1864 wrote to memory of 3720	1864	Dhkjej32.exe	100
PID 1864 wrote to memory of 3720	1864	Dhkjej32.exe	100
PID 1864 wrote to memory of 3720	1864	Dhkjej32.exe	100
PID 3720 wrote to memory of 232	3720	Dkifae32.exe	102
PID 3720 wrote to memory of 232	3720	Dkifae32.exe	102
PID 3720 wrote to memory of 232	3720	Dkifae32.exe	102
PID 232 wrote to memory of 2384	232	Dmgbnq32.exe	103
PID 232 wrote to memory of 2384	232	Dmgbnq32.exe	103
PID 232 wrote to memory of 2384	232	Dmgbnq32.exe	103
PID 2384 wrote to memory of 4388	2384	Deokon32.exe	104
PID 2384 wrote to memory of 4388	2384	Deokon32.exe	104
PID 2384 wrote to memory of 4388	2384	Deokon32.exe	104
PID 4388 wrote to memory of 3992	4388	Dhmgki32.exe	105
PID 4388 wrote to memory of 3992	4388	Dhmgki32.exe	105
PID 4388 wrote to memory of 3992	4388	Dhmgki32.exe	105
PID 3992 wrote to memory of 3392	3992	Dogogcpo.exe	106
PID 3992 wrote to memory of 3392	3992	Dogogcpo.exe	106
PID 3992 wrote to memory of 3392	3992	Dogogcpo.exe	106
PID 3392 wrote to memory of 3792	3392	Deagdn32.exe	107
PID 3392 wrote to memory of 3792	3392	Deagdn32.exe	107
PID 3392 wrote to memory of 3792	3392	Deagdn32.exe	107
PID 3792 wrote to memory of 2768	3792	Dknpmdfc.exe	109

C:\Users\Admin\AppData\Local\Temp\ccec6c1a26dad4e86b05d00452320b40N.exe
"C:\Users\Admin\AppData\Local\Temp\ccec6c1a26dad4e86b05d00452320b40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\Cmlcbbcj.exe
  C:\Windows\system32\Cmlcbbcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\Ceckcp32.exe
    C:\Windows\system32\Ceckcp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\Chagok32.exe
      C:\Windows\system32\Chagok32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 396
        24⤵
        Program crash
        
        PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2768 -ip 2768
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
94KB

MD5
ee11f468cae79df565a366b1e8d0a941

SHA1
f86ace8a63d7785c771b314385828549f5ad0266

SHA256
241189e1a355382c2797b132352803e44a6dee65a404648e8701c26ec9016a4d

SHA512
c07374fe3bb620698966e6087432133c2c6bed97d4b7eef1da76c26e8e1cdef1570ef9a30c52c37b1e263a1095e3453c484ef5453d59a902e3ff3459bd5d10ca

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
94KB

MD5
3287e3324d15b9457acbb3787b50d77f

SHA1
f1b79c327bf3efe94d7476055ba15f4e45cf1276

SHA256
88ee5e298e1ee296a1560cb81c8c9e817895d062096d99b2f23c1fb5dacd813c

SHA512
77559ca49647d8d5e6664fa1d71f005238b56680760d4b06ae0137622b2c22afe3b5d24fc4aee80d4540015a481d1d7263da021d11f4ca7fa26b9c01f9be4742

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
94KB

MD5
1812267ffef8f23129195a5385a045db

SHA1
e3a82f019fc8876b6dbe654653545d2db45e4629

SHA256
23f69b1f3f6808eeffb42f8552131ef22d26c5c8197e1f6b4d82018d2ebe799b

SHA512
b25b75fc20649de62f8c420b49371264b10b625eeb68e034fccb0883f6f61c972ecdddecdf974600e47e25256ed94de0ad58de0bce305575936888b358558386

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
94KB

MD5
5e8ccca95cd0b7f50ab77baf2f5bc296

SHA1
72026fa1a68a208a7b8d73855b9bd467424e8253

SHA256
d97445f9d19c88815cdb10ed695cd78424d7d5481f690a8171d62157e88fd46d

SHA512
55f2f2fab673e6f1bf3fa7c186c536346dcfdf3ceca96cee18bf9bc8b05e2c7a2139567a9e8e0b6f4de6695774295c3b56150f595e2c3e2be80f9f1ab11ca689

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
94KB

MD5
14421d9b7d6175f479af0e48aaade634

SHA1
1fdd397b6f10bae271112bc7d88c921bc0e4376d

SHA256
f2fae8a105b3375c5506131f14fc93150b6d3de70663164072d03125830e954f

SHA512
204357163a24c0649f1ab313bf5fe7033c0a26f131201e42ff7eb2f2c119053b6dcc73e25f51e88713597c4aa49c63ab4c010ac5873672814be65588ff47dea8

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
94KB

MD5
08926091f26be1af5a7de975bea1affb

SHA1
795fcbbe04e6053725def674b2f298dd92932cdc

SHA256
257267b72cb609c6f487e0f5d6d8d616b29d696aeea9ecace02d25bdde0a90d9

SHA512
b418fd924744a30a25ae63f26a5fb2d9f07b5a4691d120a246b65c31d0d7f35863c87223796a79898b5b666c634987fc28ab0a9203d49ef978bdedd35b90f98b

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
94KB

MD5
492e634035b468c590e49ac9bd1c6e94

SHA1
aa00fbc4c430ed88ba03cadb21b7a72bfafe21fe

SHA256
fec20d06a877feb085c7fe77fb53f291106484b2319ea0171b84612feac1b45b

SHA512
8211177d7a46925a83f8b983d7c2b99b09cf67f3403d86b0754776889fa63bf4031a183df9085a9e396a7077297f44eac5963413f7838c28eaea79bd099335ca

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
94KB

MD5
5c60d63770ec317d72e5933e0c5f796c

SHA1
7f2d88a55a50dd4423ac80178cfa6e8876b56d2c

SHA256
c80e8bbcb675fac744077b6b3aa793f6dd09abfd271230fb4334765d0a1569db

SHA512
06f841fcaf7aabff31becb3df74ccd29447aba840e943eacc289884699f048bb4af23aa55a55e5b2b2134f5eceaa2a626ed2b9cbbe7ae6bc96bf13c09de3d615

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
94KB

MD5
2c4c3cd7a325ae066bad7f1053c542ae

SHA1
2971763ada8a5717cccdafbeaf8dabfb073e59cb

SHA256
c86aaec4bdf5e1d77234736cc9e7437df433a9805d134469feecf044f8b4cde9

SHA512
de546986297830c27fc1a86235718cf38367c5b66008cc788deceb8840f4db8113a9b696bb4a13e5ae2bcb1a4b042f178057fc5065549ad1892a9b000414cd2e

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
94KB

MD5
fbec80294d126fdc73d3b66fbebfee26

SHA1
096a5f0abe307fc90b321e3fce3b11af0e2e89f5

SHA256
e83b4a4dffb40709e956179acbb5e4940a6a6d6df3b105ebad7257fc1744cb03

SHA512
3576cc61c0317728930f5c87a1bab2eb23fb1af12b9f48bb08da5e94205421e3ca95c6441847393db9625a403c13721a0b2a80e27cd4bff88fa8e4640240c8cf

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
94KB

MD5
15e92d0660debdff829a76504cbb284e

SHA1
05b6230964fe6fa3e8037a1d4ab9e413aa47a649

SHA256
4999c93957d6b4b7d57a74769197cad14bfc3c87e7167156479036caa49b72b0

SHA512
15e89ce19fa177d0eb65773f1bb6d64b69b7f84478a4b1f1926adce69a2d0a1f958a7cb07345731b1f348c26ad27c1701089be57a3880b68cc6fd6f33be61111

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
94KB

MD5
979962f5ecd403dc775767e0f008747d

SHA1
7b2358377cc8ef0c22c08dfc3b8569202c484fa4

SHA256
8b75f56b40c6ea836656d10e61326d8cd7876a0bce9a0364d07f91740d1a7a21

SHA512
3de96afaf5792d4defdca27b6db8fd8d2639089dc1d935bbf2fd4ab9f8f59c47fb353b1b95e40285eea587b2f7ea233416f529319588f433e10a9f1b42ce0957

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
94KB

MD5
3a1b8f0cb19597bd4c313699d1f5f288

SHA1
c390db738044980be8e954b76baa346a00a40a88

SHA256
80b538beac1b47d2d012fe74d795fd265ecbdee6a0937d1d958c2ecb69ae40d1

SHA512
21a6f006e3fbe1db0a5aae0688784212fa206dc468f2fcd20c39b698943160aa4bf82d7920d7cb19247684fd3ee5627c5714caa84e2c9a5dd95ebdb796ccf100

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
94KB

MD5
430f0bcee7b8007418b1b1776262adf7

SHA1
b95dd16b65a6aa9423bb817af4ee3cd6765a7de0

SHA256
99c38d093daaa72a534b3e324e7892c7097d7604f61cd523a8f600ea9729dfe2

SHA512
120c3b3ce1378693488b10bafb8a4637661018213a8832ff9b72d696f67eaed5abcab0912a4efe1dfec9afb1c262609a2c7124020f74f84d8ed7136888caf3d1

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
94KB

MD5
acb8534697ba4548226f4b4321013a31

SHA1
aaf561bbf220bc5a82405f11c9c39a7259eb563f

SHA256
b0af50327b4f33596ec90381e590f2c5eb0233ba648a5dacfae92a595e485e22

SHA512
5eff39d46b4dab79b57abb20b56cd96ac53702139e76a2c711de2fdfe6e124130d4d75a1a3fcd29d2f523192476ca083374ddcb6e868aee7dd9d7146537cd80b

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
94KB

MD5
585b5f1c214c6d51b3370f89f91c16fd

SHA1
54df2e8b27ed042fcee76dbb9488ab81f33afb7a

SHA256
8557946a0a0a59fdc2f11671437dbdac68c90ada6988579e7ef939631406b940

SHA512
796c9687a24ead5452de6cb9b3b9acdd7a101c7df15db645a51b52b6f14335beb116ff5a9ea94419113be2a39131e87c3f73400231af351b88c0c205e6232b85

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
94KB

MD5
21f337e65e37ef8258ff1a9f315288d9

SHA1
83f8c34af0393535fe58fd8e3ea153b78f8df0d9

SHA256
46d2e5c44f463c8caa689a17b99a3c6a7d53fb4b9b49797f5c3103c106ce7738

SHA512
4bb226614bffd98142a5717b353466d6fc190b146f3509f0d3d442a374ad26002e6ad4735c424fd1d296b12e88d4d6fc5b615b431cc6994474a9def4beed2b2e

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
94KB

MD5
6704ab0ad602c77449791980b1f96bdb

SHA1
092fd5361a2a0634c781a6fa14063720c223c987

SHA256
9f04aed4ebb8ad55363c90bb56b11eab1835323d32b31fa5119ac8ef898f3d42

SHA512
44c4ef3436ac93f53a17049a7fa735b8c1bb2de1600cbad4fc5d018fa9f4f6085e9a9203c1112938eca518296e86fee1db75417f6ec26951ea652da64f7c09fd

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
94KB

MD5
4e6db944e2bb3772db5b84e0d3982a6d

SHA1
64b04a4219819e6fa42891bb068122f3fb8007ae

SHA256
b3120944f5498d6d4421df97548f1682e09ddd716bf3c280f89e9d9f3be63b02

SHA512
fb73f60499bd5e7dbacf4be9e074533b1502f33adbf908200a77fc4257c1c54372381ba9db162526418908c5c358c46b006ef4a41ce712a4ff97209389971c59

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
94KB

MD5
a0eb075d752069116afa14f5766bf0bb

SHA1
57e09728f74c50f411fe3d3b11ecb8280121c888

SHA256
10282dd426b0461cafc1f309e7b1a746ec8bc6705315fd5067dcef15ec26f99b

SHA512
919d2edcc7998deacec7c0d1620772f4ceadbf790c0cec3aec261c18b2844e3a6465af1073656bc4e335c2fa3456474d643aaa6f38bada330f7a5c462bb1c660

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
94KB

MD5
2f99e49faeda75d6c1e29ec27f07c395

SHA1
da6afdf4c455ca022b52be63a954db7178245d6d

SHA256
b07d152192d1d65f8a68653c0579a15683c218c11f19eaae071e6439d07d91e4

SHA512
8e0015a6192c0461e36952b6c6fac2f34264080e87970fc0f03ae2340fa6faef800f48a82586449e0492336ed308d79551c1bc02141fd9df138f65c9933feb28

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
94KB

MD5
2b051a35aa12fc28719b98e4ad869896

SHA1
d8d6ee12dcde14d02b4e0fa37291650e3dce47b0

SHA256
de6c3dd7c35282c5d4fa9b226e8b47269ac374595d51e74dbf039aa47ebec93d

SHA512
d3c6a055f7e33333c2938c76cdac931773929a8481ad1b37514c5bdb3a45fbcddc0f92af0f8d2bc9e38e6d418cc5cc0992e51d87c592f6ffcd638544eb5a1dfb

Download Submit
memory/60-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3392-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3568-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3568-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4680-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads