16678638b8a1831b846f96292d56d74bc162df52416ea437c34a5cdae3d5881f

Analysis

max time kernel
113s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

839db486164e461f9cc543565ada0b00N.exe
Size

90KB
MD5

839db486164e461f9cc543565ada0b00
SHA1

921462c1e66c66dba6f1616938d7fae848490e29
SHA256

16678638b8a1831b846f96292d56d74bc162df52416ea437c34a5cdae3d5881f
SHA512

fc526e35dea209efc726ccc21a8d4a80596a36b62c33b7bf5e873d09d28a6ec286ed8e849ae2dfdea1385ffafebfe63f11256f5811b3e7afeb0dd899e9e42820
SSDEEP

1536:Ez27SC5idy74iQg1ER9IJoi1IvQN2I/x5HdixvFyQLeXc9FG1u/Ub0VkVNK:GKSC5ik74iQ0Eyoi1GQN2Ip5HAxvFyQn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	839db486164e461f9cc543565ada0b00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	839db486164e461f9cc543565ada0b00N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe

Executes dropped EXE 22 IoCs

pid	Process
1552	Cjmgfgdf.exe
740	Cnicfe32.exe
2792	Cagobalc.exe
2916	Ceckcp32.exe
2212	Cnkplejl.exe
1948	Ceehho32.exe
3212	Chcddk32.exe
5048	Cmqmma32.exe
3476	Calhnpgn.exe
2584	Dhfajjoj.exe
1676	Djdmffnn.exe
4960	Danecp32.exe
1156	Dfknkg32.exe
2268	Daqbip32.exe
2164	Delnin32.exe
2920	Dfnjafap.exe
4052	Dmgbnq32.exe
3800	Ddakjkqi.exe
5088	Dkkcge32.exe
3548	Daekdooc.exe
3268	Dgbdlf32.exe
1432	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	839db486164e461f9cc543565ada0b00N.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Maickled.dll	839db486164e461f9cc543565ada0b00N.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	839db486164e461f9cc543565ada0b00N.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3600	1432	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	839db486164e461f9cc543565ada0b00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	839db486164e461f9cc543565ada0b00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	839db486164e461f9cc543565ada0b00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	839db486164e461f9cc543565ada0b00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	839db486164e461f9cc543565ada0b00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	839db486164e461f9cc543565ada0b00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	839db486164e461f9cc543565ada0b00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1552	4236	839db486164e461f9cc543565ada0b00N.exe	84
PID 4236 wrote to memory of 1552	4236	839db486164e461f9cc543565ada0b00N.exe	84
PID 4236 wrote to memory of 1552	4236	839db486164e461f9cc543565ada0b00N.exe	84
PID 1552 wrote to memory of 740	1552	Cjmgfgdf.exe	85
PID 1552 wrote to memory of 740	1552	Cjmgfgdf.exe	85
PID 1552 wrote to memory of 740	1552	Cjmgfgdf.exe	85
PID 740 wrote to memory of 2792	740	Cnicfe32.exe	86
PID 740 wrote to memory of 2792	740	Cnicfe32.exe	86
PID 740 wrote to memory of 2792	740	Cnicfe32.exe	86
PID 2792 wrote to memory of 2916	2792	Cagobalc.exe	87
PID 2792 wrote to memory of 2916	2792	Cagobalc.exe	87
PID 2792 wrote to memory of 2916	2792	Cagobalc.exe	87
PID 2916 wrote to memory of 2212	2916	Ceckcp32.exe	88
PID 2916 wrote to memory of 2212	2916	Ceckcp32.exe	88
PID 2916 wrote to memory of 2212	2916	Ceckcp32.exe	88
PID 2212 wrote to memory of 1948	2212	Cnkplejl.exe	89
PID 2212 wrote to memory of 1948	2212	Cnkplejl.exe	89
PID 2212 wrote to memory of 1948	2212	Cnkplejl.exe	89
PID 1948 wrote to memory of 3212	1948	Ceehho32.exe	90
PID 1948 wrote to memory of 3212	1948	Ceehho32.exe	90
PID 1948 wrote to memory of 3212	1948	Ceehho32.exe	90
PID 3212 wrote to memory of 5048	3212	Chcddk32.exe	91
PID 3212 wrote to memory of 5048	3212	Chcddk32.exe	91
PID 3212 wrote to memory of 5048	3212	Chcddk32.exe	91
PID 5048 wrote to memory of 3476	5048	Cmqmma32.exe	93
PID 5048 wrote to memory of 3476	5048	Cmqmma32.exe	93
PID 5048 wrote to memory of 3476	5048	Cmqmma32.exe	93
PID 3476 wrote to memory of 2584	3476	Calhnpgn.exe	94
PID 3476 wrote to memory of 2584	3476	Calhnpgn.exe	94
PID 3476 wrote to memory of 2584	3476	Calhnpgn.exe	94
PID 2584 wrote to memory of 1676	2584	Dhfajjoj.exe	95
PID 2584 wrote to memory of 1676	2584	Dhfajjoj.exe	95
PID 2584 wrote to memory of 1676	2584	Dhfajjoj.exe	95
PID 1676 wrote to memory of 4960	1676	Djdmffnn.exe	96
PID 1676 wrote to memory of 4960	1676	Djdmffnn.exe	96
PID 1676 wrote to memory of 4960	1676	Djdmffnn.exe	96
PID 4960 wrote to memory of 1156	4960	Danecp32.exe	98
PID 4960 wrote to memory of 1156	4960	Danecp32.exe	98
PID 4960 wrote to memory of 1156	4960	Danecp32.exe	98
PID 1156 wrote to memory of 2268	1156	Dfknkg32.exe	99
PID 1156 wrote to memory of 2268	1156	Dfknkg32.exe	99
PID 1156 wrote to memory of 2268	1156	Dfknkg32.exe	99
PID 2268 wrote to memory of 2164	2268	Daqbip32.exe	100
PID 2268 wrote to memory of 2164	2268	Daqbip32.exe	100
PID 2268 wrote to memory of 2164	2268	Daqbip32.exe	100
PID 2164 wrote to memory of 2920	2164	Delnin32.exe	101
PID 2164 wrote to memory of 2920	2164	Delnin32.exe	101
PID 2164 wrote to memory of 2920	2164	Delnin32.exe	101
PID 2920 wrote to memory of 4052	2920	Dfnjafap.exe	102
PID 2920 wrote to memory of 4052	2920	Dfnjafap.exe	102
PID 2920 wrote to memory of 4052	2920	Dfnjafap.exe	102
PID 4052 wrote to memory of 3800	4052	Dmgbnq32.exe	103
PID 4052 wrote to memory of 3800	4052	Dmgbnq32.exe	103
PID 4052 wrote to memory of 3800	4052	Dmgbnq32.exe	103
PID 3800 wrote to memory of 5088	3800	Ddakjkqi.exe	105
PID 3800 wrote to memory of 5088	3800	Ddakjkqi.exe	105
PID 3800 wrote to memory of 5088	3800	Ddakjkqi.exe	105
PID 5088 wrote to memory of 3548	5088	Dkkcge32.exe	106
PID 5088 wrote to memory of 3548	5088	Dkkcge32.exe	106
PID 5088 wrote to memory of 3548	5088	Dkkcge32.exe	106
PID 3548 wrote to memory of 3268	3548	Daekdooc.exe	107
PID 3548 wrote to memory of 3268	3548	Daekdooc.exe	107
PID 3548 wrote to memory of 3268	3548	Daekdooc.exe	107
PID 3268 wrote to memory of 1432	3268	Dgbdlf32.exe	108

C:\Users\Admin\AppData\Local\Temp\839db486164e461f9cc543565ada0b00N.exe
"C:\Users\Admin\AppData\Local\Temp\839db486164e461f9cc543565ada0b00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\Cjmgfgdf.exe
  C:\Windows\system32\Cjmgfgdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\Cnicfe32.exe
    C:\Windows\system32\Cnicfe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\Cagobalc.exe
      C:\Windows\system32\Cagobalc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 408
        24⤵
        Program crash
        
        PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1432 -ip 1432
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
90KB

MD5
f6c6237eaa79cbbdd84a9496327ec428

SHA1
c0bd358d2de3734382ef22e7821674cd98e01f7e

SHA256
3c18eba99b70e0313adaca74c337e6f60b0478bf719580f9526f70c11d3852df

SHA512
109c96dd45471c9f2640163073aa742238ca6d499dab0c9d427e6cf5b64f8789387024aa43bf82e1c249c639857fcc3445679f1682883f547f974f520a2db6fd

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
90KB

MD5
6f8f56673ac041092b48215856fcee42

SHA1
2fa7ccad7158f55dc529777990dda28a1e65e7dc

SHA256
149fe15a75ca4a0403d08f335eead44371837a47817c6cd30b3cc5d0b09d7c1b

SHA512
f0d926d7bb1c2a304dfbced8b1661b086541de8fab9b59eba5e840a04a31849e7f362f27f7f2417e7055ae597889a9cf9ee86087e41466b9743e642ea49e3f54

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
90KB

MD5
fe1da27ef4d057e9dfd4ac699f847431

SHA1
537385d4d142dede54d4f234c206608be8957fe6

SHA256
5e1ae6643a810fb87fff90b0f72c77e77d10b9a9a2d65998aa328885440181bf

SHA512
3a72110e0eb6494d2b456729cdf56abb34397226aa4e75e29b3b662e62459ab3de2f3cbb3a2114717439e5d14c6d758fe7bb65313383df780e7ad186b77b1a36

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
90KB

MD5
b377868ae49312b7ac22a91a16ce892c

SHA1
73a474485131bebf7651dc285ffe8a5c83556561

SHA256
99ebfc95be06828255b4412e8b5e9a2610ef09a86342c3352f9ca62820095dea

SHA512
4e586be58240c08492755874729ea156ff6f1d04a970d7de4b83a9947552f8f995719070b61e67c4530752a42ea8831536d419b483f2d45e90dc13ff374b9c5c

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
90KB

MD5
64c09d83f29f531f1e020679bd2567be

SHA1
e3b319238d2349292468ff6cffc245bbfe53311d

SHA256
0e112e394ead4c859f41b3427e476dd4401dbca083cc9a3ca9c659ecbdd98d1d

SHA512
fc2cb40ee72fbbfc1fa476795aee7de4225fad1bc7448db5017d380fb9a68a5fc896484116ea91513e0a2f97c2551f73d19e02edf143c75c62763e706dd4f604

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
90KB

MD5
feb9270362adb2d779358907355f9d73

SHA1
31f1ac393b2bcb4dc92a3ee42c5658ac976b1689

SHA256
3b925f7e803ff411ef891082775ce43ffa7dbb648609bfa85e17591b46310be8

SHA512
83581c202f2f175a9afa43332a18411275009b1b8c07bdec056af218b63b115b8ae8c77f858449ac07741a687f5d8e064f6f2c1eb998727d19fcf1881d796705

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
90KB

MD5
be531f2e731a21bbd4a6174c5034b4ab

SHA1
4feff84a47ad757198f5c98ceaec90953326fd7e

SHA256
0109890cd0d53a0e95c9571ce8d48b1f080f098b8725fce4240994479aaca4ce

SHA512
99d38cd52cc6472c84e5339d6655c7ed5f353fd27d581d6ad71386607cf10a77838811c41ef13e01a3aefd0d376f65b8cf9dc43445408f23d8954471d39d8514

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
90KB

MD5
225eefd2fc903b490b37dc55f056bab1

SHA1
3615d5ed11edd2b3fa40ea0c3b11934d878c9353

SHA256
93fa7810f488ef3e9ae598d8a7c9117163ae07806817b7986784a1f86d20222d

SHA512
813c4bab97032f6f04bf47a21cde5d20598cd28ad95b22f5ae929900619542f85d660cbcdfc1bc17bb8c23e64e71753f9fdfb280062490e1064d6e141cfc6377

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
90KB

MD5
a40e68727d375254132e7bb7c4d1e24d

SHA1
0a265a5afd6fec8f8577bbf48ce3d5c16779dca6

SHA256
7424648f95d580e303d870458bb9659dba8c24975018abc218c4e8de6a813eee

SHA512
58b345d34ecc758d59aed59b5416689d194ea7f8ccfa8a4b9da0eb473cdd555de6a124ce771a290939a568af920a5f85842e699755edbd02cf70deb5a6468ea5

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
90KB

MD5
9072680a564b8713b3ff8247f138f320

SHA1
b73f218087f4c4aa0663baa611a1121188139bc6

SHA256
51d4a1811a8886d2031c9ebc4849d368ac98d06c53c2aeaedfc0d1cbcf046268

SHA512
18581a9805ad38d160f0a9da353808aa01fdc119cc115d5dd66bb6db9e41afbf8255b5e66608eccf24c82ad22cbb58cf65f75fdf179195d7cb87abeeae34793d

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
90KB

MD5
7eb0b4ad9f7bca7aedde19a3fcb7ecc9

SHA1
44ed26a09e95142f1f91a9aea633b9543c7e1d59

SHA256
d9c0c405fbfd33050410dc93e76ee8c61433b7438adcd717b088d900eccfa043

SHA512
2e14579797ed8caf707cb5024152e3f0df4af3a168cb8e9af021d024515297e45ac26881933a464686fa9af73d0e2e79952f52a19fa60d7c172c4978dcc6bd1b

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
90KB

MD5
960c585a9b6293ef75d29c3c9b1dd071

SHA1
5c951a84ba7cd689ee8d4782b680e3ac3dc3ac26

SHA256
c7ba96ecf5d4f32af01a737572d315727a000f80ed947307b166d237b755c338

SHA512
6f6c7da44b2a52553ff8fe68c5bae3e17cec581a3d0a25ac1afb88b807f1d4335cfbfc92cb2aee4fc9d61f1bac89ff60e60e0517fa8bf79422eb1f56df2cd562

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
90KB

MD5
155a2727580f495f0bb7ed104f976d15

SHA1
0535660eda8399fe8db80a9004cf825e14d4e899

SHA256
e094ea3a177be2ee98fffc2fcfa5167a4bfb6d13597c68f5a148371165920aff

SHA512
c0fab82c6f266df676d26217bfbb5a71130f0dbd2152fe7da1c021c4ab52f5314f90875421c746ff407e4c2588af26bfabb112142b15e27d9a9a65c231dc0d9c

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
90KB

MD5
554b43ccf872da52ee2761eab4bc55d7

SHA1
88367e7f672404d355f6ea93cc7d8e700689ade0

SHA256
c362e000a590ef21303830a013615d5fe78c055429e44e2b2f6e567557cf82eb

SHA512
2dec496c8c41ee5f261b10374032ea83a1d8e92d73d33d0909fda81b0af2f81c1236a80bada85213217a524fcbf8e397fc5d1f2e5de6ab498e9b373eadb5eca6

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
90KB

MD5
6dd4024ef56e5f66104faa866972c9c3

SHA1
1b7ec7960485d67d0e53824f82b4f0c533759151

SHA256
2b2d3bb472f27074732ee0f159ebe785c1ad213d7283b86a66dece7fba39aa6d

SHA512
20f99bc19906b49af27854f82ce83de531f691b5c74924114d5f49784dddba6938404b940030355a4af6b50b3e424c5330b65fbc577e2cfa68c404b5f7167c62

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
90KB

MD5
c90a5cc4969d0243f73090daa5b4686e

SHA1
244a2a92643bb02ee02d986b54997b6a10ab8024

SHA256
3a7f177f90b60938b108394288ae876270b687296f7db00a26d8577bf80b440d

SHA512
89e0a5778bcfefec8c0dafb4dde164a4762b7b9c079a5a75e71035fc6c9b6f8c10db24180baa79b4febcfa8fe469d3bbca87febd5ab30b379faeab821ec7b031

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
90KB

MD5
15c71abe966df0b535a22ac0da4219a6

SHA1
3b3698417b4454104060928988ecc51e5a41ff8d

SHA256
be5d058b6be423939c22ac9999ee3820870f7ae03eaa2bfbbdf0dc4fff76c411

SHA512
54b70c6797bcd55b36a6a595ab92e4ea77099872343a4fcaca45e8242da1e87e4154db7ee8d85b9d4e52fce61d63caa7d60d3f3750bc062a2bc8a863eacc7f09

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
90KB

MD5
223a24cc8530b0765dd766f0b4974b1e

SHA1
1dfd2fdca0bc2844a79a62c21cd583ea97f34a17

SHA256
f1bc97105931ab36fbbb704f0b404bd5f3980bfb8a8b276351ff76652413e948

SHA512
bddf9136854cb65b50208e0232bd29b97ba96db9b3f2452d6aa683763089b83988cb08c05359d070673ddbd70b70cf5e0b9df197ca7c7ceb1248cbb231e03307

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
90KB

MD5
da36bd8019e81779c55cd1bf221e501a

SHA1
c392058961a32d67e471d0df01460b5b3f27df63

SHA256
a1ef6e3ab44ab29b5c7b161e53b0eea2babe9a057a11836f244e12a5f27d8ebf

SHA512
288bdc8a7f22841aa0cb29c65f6e58246805098ea4f22286a5ab7a9eeca081c260c22702328829ef9c6967ea345d38a4659034ffc90dea90eec03732557e3c96

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
90KB

MD5
9c24e5f243a98a9349a4e69fd850ec25

SHA1
c41096f457583679c95eaa30ffb54d5b68c67277

SHA256
3a414ce0de164380fcce98f7c14e75549dba105be67716d7e47e3fc9b83fe6c0

SHA512
0bb3519dd6877eb34ca50b94f8971965472f246a01939bddfb3505e1b11ca47a5858f2570644f7c4d6718806e8a75b743c32eedb00a3efbc5f664d2bb7901528

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
90KB

MD5
c002a06096c1badae57a66fbadbd532d

SHA1
6555cb3e9e4c8d7a0ea1dfdf7af9ccdceba8b4b8

SHA256
6de19e90fe9b7d190b24ed84b9d764922c3e90ed76ade320f41ff73e32a319d7

SHA512
177fce0f9af0a78040c03a875b6a7b6b42cd67f2d7d4021ca88d156eb22d4924e21947c6702a3553c7546eae4234226a33e1cad95414d31314cb504f4465a1ab

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
90KB

MD5
6958a7a6ae51d4bb89e1918e4fe9c05a

SHA1
22a5ed44ac32feded2e55f857d17bde900983b2c

SHA256
245677bced26ff95d7e6cb78fc8db86fbd611f5f116aa74c4fb4a97a99c89b75

SHA512
dcc6fc3b63b4cc4b6c47a492a3d9e1e08079f99f73b2e55a7a99c4747a5b843d861621493a2606a77d1c8200d04234237af61ed83dcabc4a059a056bf47575d4

Download Submit
C:\Windows\SysWOW64\Pjngmo32.dll

Filesize
7KB

MD5
69fb2935880a26581e6f6d1885763c15

SHA1
791db7736a508ae9dd48f5d36b65171ca466da16

SHA256
b6598cbc2e90f17b1511a83254d95ded21e1a96c154dadc2ffde5f1a104ea306

SHA512
47077bc1ddcf3b0d75a5923baae559c5867770e6c759dd78926be4c1b849dfa9993dba074cbd7e4d5f7e66292fd57e2fe0022cea83ca8cf5c1b0cdc83d5efdd9

Download Submit
memory/740-196-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/740-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1156-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1156-186-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1432-177-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1432-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1552-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1552-197-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1948-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1948-193-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-194-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2268-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2268-185-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-189-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2792-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2916-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2916-195-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2920-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2920-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3212-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3212-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-178-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3476-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3476-190-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3548-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3548-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3800-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3800-180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-198-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4960-187-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4960-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-191-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5088-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5088-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads