7aa0e45130620548a217e411adde0247c7df0ae815e1eb08761a9f9a23b24901

Analysis

max time kernel
30s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 05:40

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ef84034c1cfeef320182b70ba96cf800N.exe
Size

160KB
MD5

ef84034c1cfeef320182b70ba96cf800
SHA1

76d96a0b5d358228fe459f86da979cc65031eb81
SHA256

7aa0e45130620548a217e411adde0247c7df0ae815e1eb08761a9f9a23b24901
SHA512

b0c835ac43ec7ff8ab261bdb6e35b189dfd1e857a05a1b8f97d5af031cc1c7f8d434b40162d5b244389ee5474f41ab7a48ce4b600256bd339b6a89f08377cc42
SSDEEP

3072:6Gfwp2A88Wnd9K+LokZZsqfQhUzp4PmebD5Vo3gLJbGFE22VasiZoR6sCtAC8:6Tpy8W6+ThQh+oHbD5W3glbGFIasUDsn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ef84034c1cfeef320182b70ba96cf800N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ef84034c1cfeef320182b70ba96cf800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe

Executes dropped EXE 21 IoCs

pid	Process
4136	Ceqnmpfo.exe
1216	Cnicfe32.exe
4668	Cagobalc.exe
2700	Chagok32.exe
4364	Cnkplejl.exe
4780	Ceehho32.exe
4444	Cffdpghg.exe
840	Calhnpgn.exe
2140	Ddjejl32.exe
788	Dopigd32.exe
3028	Dejacond.exe
4336	Dhhnpjmh.exe
1528	Djgjlelk.exe
4548	Dobfld32.exe
2732	Daqbip32.exe
3624	Dodbbdbb.exe
4544	Dhmgki32.exe
4856	Dkkcge32.exe
976	Dmjocp32.exe
4844	Dddhpjof.exe
1760	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	ef84034c1cfeef320182b70ba96cf800N.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	ef84034c1cfeef320182b70ba96cf800N.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	ef84034c1cfeef320182b70ba96cf800N.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
640	1760	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef84034c1cfeef320182b70ba96cf800N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ef84034c1cfeef320182b70ba96cf800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ef84034c1cfeef320182b70ba96cf800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ef84034c1cfeef320182b70ba96cf800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ef84034c1cfeef320182b70ba96cf800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	ef84034c1cfeef320182b70ba96cf800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ef84034c1cfeef320182b70ba96cf800N.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4136	3744	ef84034c1cfeef320182b70ba96cf800N.exe	84
PID 3744 wrote to memory of 4136	3744	ef84034c1cfeef320182b70ba96cf800N.exe	84
PID 3744 wrote to memory of 4136	3744	ef84034c1cfeef320182b70ba96cf800N.exe	84
PID 4136 wrote to memory of 1216	4136	Ceqnmpfo.exe	85
PID 4136 wrote to memory of 1216	4136	Ceqnmpfo.exe	85
PID 4136 wrote to memory of 1216	4136	Ceqnmpfo.exe	85
PID 1216 wrote to memory of 4668	1216	Cnicfe32.exe	86
PID 1216 wrote to memory of 4668	1216	Cnicfe32.exe	86
PID 1216 wrote to memory of 4668	1216	Cnicfe32.exe	86
PID 4668 wrote to memory of 2700	4668	Cagobalc.exe	87
PID 4668 wrote to memory of 2700	4668	Cagobalc.exe	87
PID 4668 wrote to memory of 2700	4668	Cagobalc.exe	87
PID 2700 wrote to memory of 4364	2700	Chagok32.exe	88
PID 2700 wrote to memory of 4364	2700	Chagok32.exe	88
PID 2700 wrote to memory of 4364	2700	Chagok32.exe	88
PID 4364 wrote to memory of 4780	4364	Cnkplejl.exe	89
PID 4364 wrote to memory of 4780	4364	Cnkplejl.exe	89
PID 4364 wrote to memory of 4780	4364	Cnkplejl.exe	89
PID 4780 wrote to memory of 4444	4780	Ceehho32.exe	90
PID 4780 wrote to memory of 4444	4780	Ceehho32.exe	90
PID 4780 wrote to memory of 4444	4780	Ceehho32.exe	90
PID 4444 wrote to memory of 840	4444	Cffdpghg.exe	91
PID 4444 wrote to memory of 840	4444	Cffdpghg.exe	91
PID 4444 wrote to memory of 840	4444	Cffdpghg.exe	91
PID 840 wrote to memory of 2140	840	Calhnpgn.exe	92
PID 840 wrote to memory of 2140	840	Calhnpgn.exe	92
PID 840 wrote to memory of 2140	840	Calhnpgn.exe	92
PID 2140 wrote to memory of 788	2140	Ddjejl32.exe	94
PID 2140 wrote to memory of 788	2140	Ddjejl32.exe	94
PID 2140 wrote to memory of 788	2140	Ddjejl32.exe	94
PID 788 wrote to memory of 3028	788	Dopigd32.exe	95
PID 788 wrote to memory of 3028	788	Dopigd32.exe	95
PID 788 wrote to memory of 3028	788	Dopigd32.exe	95
PID 3028 wrote to memory of 4336	3028	Dejacond.exe	96
PID 3028 wrote to memory of 4336	3028	Dejacond.exe	96
PID 3028 wrote to memory of 4336	3028	Dejacond.exe	96
PID 4336 wrote to memory of 1528	4336	Dhhnpjmh.exe	97
PID 4336 wrote to memory of 1528	4336	Dhhnpjmh.exe	97
PID 4336 wrote to memory of 1528	4336	Dhhnpjmh.exe	97
PID 1528 wrote to memory of 4548	1528	Djgjlelk.exe	98
PID 1528 wrote to memory of 4548	1528	Djgjlelk.exe	98
PID 1528 wrote to memory of 4548	1528	Djgjlelk.exe	98
PID 4548 wrote to memory of 2732	4548	Dobfld32.exe	99
PID 4548 wrote to memory of 2732	4548	Dobfld32.exe	99
PID 4548 wrote to memory of 2732	4548	Dobfld32.exe	99
PID 2732 wrote to memory of 3624	2732	Daqbip32.exe	100
PID 2732 wrote to memory of 3624	2732	Daqbip32.exe	100
PID 2732 wrote to memory of 3624	2732	Daqbip32.exe	100
PID 3624 wrote to memory of 4544	3624	Dodbbdbb.exe	102
PID 3624 wrote to memory of 4544	3624	Dodbbdbb.exe	102
PID 3624 wrote to memory of 4544	3624	Dodbbdbb.exe	102
PID 4544 wrote to memory of 4856	4544	Dhmgki32.exe	103
PID 4544 wrote to memory of 4856	4544	Dhmgki32.exe	103
PID 4544 wrote to memory of 4856	4544	Dhmgki32.exe	103
PID 4856 wrote to memory of 976	4856	Dkkcge32.exe	104
PID 4856 wrote to memory of 976	4856	Dkkcge32.exe	104
PID 4856 wrote to memory of 976	4856	Dkkcge32.exe	104
PID 976 wrote to memory of 4844	976	Dmjocp32.exe	106
PID 976 wrote to memory of 4844	976	Dmjocp32.exe	106
PID 976 wrote to memory of 4844	976	Dmjocp32.exe	106
PID 4844 wrote to memory of 1760	4844	Dddhpjof.exe	107
PID 4844 wrote to memory of 1760	4844	Dddhpjof.exe	107
PID 4844 wrote to memory of 1760	4844	Dddhpjof.exe	107

C:\Users\Admin\AppData\Local\Temp\ef84034c1cfeef320182b70ba96cf800N.exe
"C:\Users\Admin\AppData\Local\Temp\ef84034c1cfeef320182b70ba96cf800N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\Ceqnmpfo.exe
  C:\Windows\system32\Ceqnmpfo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\Cnicfe32.exe
    C:\Windows\system32\Cnicfe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\Cagobalc.exe
      C:\Windows\system32\Cagobalc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 408
        23⤵
        Program crash
        
        PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1760 -ip 1760
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
160KB

MD5
2a8c966cdb8eec6554872412a662460e

SHA1
e41245add2c061f21ba6de2c4dbe982de508a1ef

SHA256
1bc90d02d1015ad3edaa860777ffb6e6e79fe77d68c44a16f3fb84a26e2695a8

SHA512
c70bc5d0c6a7cd806ab57741531f86837b5b624d11b519c56e74998886357d02e72be6f3074a9a539a6ab8a01407bfa0993d3271f10beda37467c3f0bab789e9

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
160KB

MD5
e4848d37ba164955aa7a14203d037ccc

SHA1
91e67779bb8b383f2716e19eb3fdd59df9cb428e

SHA256
95c8d14b888aa8450e58bbc42c8f562b0dff4e6b2e5cac8f6f1634bd2094fdd8

SHA512
461d9fa4d6dbc36c8b3d9ee0591e2acc392814bf7dd55e53d7fd8ed15c71265fd4832ed98a3224b9ecfe2305ea538fbc16c019c39d6af7e64f1fd2ecaf085216

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
160KB

MD5
9968d2aafaa08046559de49f054d9606

SHA1
9cc13e17cb6708470a9ad026238820bb305de7be

SHA256
c082ab6d90335db26eedb401b94bf151248c9d637e079b7c6017aa1b867981ca

SHA512
58c8c17cde661dee3219c1a0894219824d9ce1c35d221214b007d3992a5277ca5fd0ea81774e0dd0cec2cba91c51d418d53451bab0490988c8a74bca8fd44d1e

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
160KB

MD5
3dadf852c16f954fb5779a8f9df66144

SHA1
87ced9255572606c4aed0788d551212b93170f76

SHA256
7270ff92c9746c292dd6f48f15b1dfe62edcb8593ae61ae9d2533f6466194fe3

SHA512
ee883fded221d6b079bbcc3423958bbb0dab3b285277c10a862dd84882a93dbdb5d817b66ab9c17cdf223ffaa311c72e82e049d204a42e86566ade6928fa9b27

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
160KB

MD5
131386bb5444f0f2dfb0feb7ccf45ad4

SHA1
f2c7569527102f2d95e5e45291e5c41e9f3dbe7b

SHA256
7640bff616617b709a9cc69a726850b25a258147bdaece598d4a995bff1c5196

SHA512
f7055a9eaea82652f1a69acbcdea51677c038977d90fc423f87b07b2200826e9eac5c1b67edde977febeec9115d647a23d9acd40e479265d4764973c6399f7ad

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
160KB

MD5
f44e25a37b32e3199ed44c83f5852699

SHA1
d72071888b5ccd3d9bad21b2369d622548087c48

SHA256
1122ec19c8f0bc77b8ffd80371b24eb54809735ac800ff4f203d8c52b802fadf

SHA512
ded8f10a01a49ef7b134a4c95b47fc8ca5d5c58059d1f9f7042c98994b1466987bfa478b581c577801cf4bc329986601496a4888878ec06e0a66ecd595205956

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
160KB

MD5
6ff87041d16a5cd4263362372ac55e03

SHA1
d590a9cb75d0e01cae4b71fb915e93badc4ac8a7

SHA256
d4e51c05d16c6b2e31ffc95ab4c5f5e53ff2112e210dc69ab79b45f4498f485d

SHA512
426506f22e60a8a5b6ff3713a89798fab3867bc36d8734b0746bdff25eec33155e23f6f5862aa9105b90c38cb69d4af9e1b2f9d5f6aa4abf63b8ca7e234c92a7

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
160KB

MD5
309b646834844befb703f0a7e81ce2f4

SHA1
f0588e9cefb90717c7240794b36b2da75405083e

SHA256
169a0b43fa2b2bbe4a011d51c09f4d44e2d0d28308b064d5592292fb62db4c2d

SHA512
157f566b997b1e0baa473a7ceafdd8c367e0eb754d1495ed52b2f0a303392f293603303ea436c5b6300202a716dc81c40a8ce9e0ed76400babe3d3ebd73a5fa8

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
160KB

MD5
396b416f518594e1acebd214208ce138

SHA1
619c2fd2899ff7edcea91b86a5ea80689c0721b1

SHA256
c9e4d68543305b2d66cc009dc6bd2c2bc0867cd81621d049348101b18954b5a3

SHA512
8969129118302ec6e1c0f2566c3c666d1b4e472d0a49a4d32902f5f79bfcb25856807b950d0bbdffc0e322712c3647d2bf2cbd4178566293af668a7b9267bd55

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
160KB

MD5
51b6e339aecdc83a0b23b5d5fc1e5f41

SHA1
e19dcf3d82f27bfa2891d2fdd11b526eebdd5e61

SHA256
eb191724535b765a9c1caec8028973119352cf3f5c726c2edc811d2ce6923f68

SHA512
8d26a9ae90743c1e99c1e5d3b1716966aee9af4e757ba417bfcce3c75c2d6e00d741dd76377ee846a4c69191246c7929afefc6f487ebbddfc9e3ff86b67eced2

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
160KB

MD5
dbaba268d0507ab3a202a27412779957

SHA1
e9bc426ad1c6491c1e9e968221a1dcb8dc2a8399

SHA256
e49cf8df698d52bc21d99a8c0a024c1a681c9faad8d1d6b271308b43da5ac870

SHA512
178b270908da3aff6f01a86002493835715c0b7b31d19c901b0eddb903eb7411c75b4363af3da7bb84e1e2b827539ecfcb252b81be0d12d61d595391d0a695c5

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
160KB

MD5
f0942f70426c60c83b2bc97b2766ca3f

SHA1
ef7ac3be74c26b4e74f57fbad4f7c5b110e507a0

SHA256
da30372afa5e53ed05a4fbdec77959b518e3bbbe7b488a35314908f8a587f8d9

SHA512
76e1252058a8e13d5b8513f0369f612b02ca085260e8a4974e9685c5c83fda3808353108b0240f155497539d2a8f9b9a58ed66675867c697bd3786ad687f08dd

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
160KB

MD5
84a2d2a14edc27a02bee4f8c5b6b46bc

SHA1
0b41f98bb5c35be3a9176f8b5cfe780cf591bf09

SHA256
233c65771d14838861516be1ecc7a2aab738febcf4d54d96d1f1b0580e8f5399

SHA512
23d590093cfcd9e3944589c298f16f7d5f52e6052df1aee3d93010805e4e596cb7ed864408215cd3610adb2d33625549e847d38024dba4304415f5786ba2626c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
160KB

MD5
ff40458b79d8badd8436ce4cb439d3b7

SHA1
12c8e2a4424c2d9a816eb72e7f39706abdaf0e15

SHA256
bd84c8dd45c583d7a4efb88cf49bbc0cdfea1f540f55d7edfc0337e7b89c61d0

SHA512
e6c77bb35aa299823126da6132bf9bf5dcec873579f62d7231782013e7ff8eb724a44549b67581d607b3fac9176d3d6c3ab7ebd11b016acb8cfc1e9723920495

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
160KB

MD5
9249b82b423a15cb786641fca3649d28

SHA1
e78be8b2456df161549bbb2149f6763b25081d36

SHA256
76d903c99721e8e104b32aa9920ad2a8d5f84cbbe914c275ac6e8d41cda95f3f

SHA512
15d6917ee31910615f2634cda464a2462fed67985cb8c5dfb01778e98c32333b26a8540e6c78f90630f0dbaa55fe7b1727537ab40c2ced2807c906b72039e5d9

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
160KB

MD5
8e1b967ce380ab6ddf88379751930648

SHA1
72df7c9747af919de0d866e1b81af786dd9fb8c1

SHA256
deba1f9984ab1440bcfc8b18f42424082d817931dae429c22377cad07f2ca8bb

SHA512
cb807b95f0593f44d674ae84306e98ff5ad918d33e811fd052099362a89e7df31c4ffec5bc2f5edabe49af6228a4fd42f9be9c309be36b649251dbabb5a7989d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
160KB

MD5
545bb0d9305ffa6ed307a4793363bc66

SHA1
c54869177d69ce3b18f60ee2fd905e08f3b2824f

SHA256
ae03dde803d8e9c9b0346c3c237bb1905de9f40c67ccc265c988c070008ffabd

SHA512
86963d0fc7ca52d76d7199cdce3aae12b1c6ec0490c66f4a4a788cd0e670a7dbfd1d946be038bf7edf844fbff84b92cf51991de0aceb2e046052df9ce4e82d9b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
160KB

MD5
922e2c2b917803bdb4be485c39d09a8a

SHA1
186eb55f3a78bc120a4c31f6f9798985caea327b

SHA256
6644ffa9482dd571426fe78fa82a311e2bc254ead3a03afbd70053574c176d52

SHA512
a51594d75a28fc3e83ae19a4ac70cb657f5a20b4f87c07cfa39f2772844cbecc99e460e8e9edfe2c985aaaeb7343828120c31616739bffb856d576763b263166

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
160KB

MD5
6ff14d8a7b6d36aa65ab73f0c12b4630

SHA1
40078c86330c147f5742c09d212a07654a8ac5ee

SHA256
5468c0f353bb7145cca5fa52956e56c317aa50f6eb71d86ee35fefe1df8432d3

SHA512
32c58681fe9464ff4c9fe032b863ac1c143e15742a9f36b80c08f55267b0935c88e837bb4e45bb035d8aa6d98524b31b63a3359579ba9b8b89dc9171a0903cc7

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
160KB

MD5
e2fb749921516e56fa2198a8ce8c988c

SHA1
f9aea46d2f49891e06b519e370acddc4a8db5830

SHA256
14f64de2d8df92b289507a19dfcb91513c26b44400567b3b8a3b2fb4e6c6fdd4

SHA512
2ed333711edf5cce1648d3b00187e924cda57ef2bed2d81f90c5c7f5800c906086a2be23c70a597b4be8fa0505cfbded5cc8dca33435370245fd4096ddeb4684

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
160KB

MD5
fc81bcbd75fdd3d78d3bc914cee7f5ac

SHA1
47988d258253bdf859c9dfc7de3268519b6c643e

SHA256
3abffe84cfa35a0699261c47aa9eb335043e04704c6e00cbf665e16904c70a91

SHA512
49c6ce64f312777dc3a2322f52405972fb8d52f7d5c053b4a9a466942cb71429924db4bdc24e0439ee8cfa3b223094201b99b1ca46f286ea5571f6ffba98c03a

Download Submit
C:\Windows\SysWOW64\Pjngmo32.dll

Filesize
7KB

MD5
69fb2935880a26581e6f6d1885763c15

SHA1
791db7736a508ae9dd48f5d36b65171ca466da16

SHA256
b6598cbc2e90f17b1511a83254d95ded21e1a96c154dadc2ffde5f1a104ea306

SHA512
47077bc1ddcf3b0d75a5923baae559c5867770e6c759dd78926be4c1b849dfa9993dba074cbd7e4d5f7e66292fd57e2fe0022cea83ca8cf5c1b0cdc83d5efdd9

Download Submit
memory/788-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/788-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/976-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-187-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4668-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4668-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-182-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads