0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a

Analysis

max time kernel
133s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Size

57KB
MD5

25300116840695cb7d8326c14caacd0b
SHA1

833ca6776f6d22f54d37fc4ee10d94f3914aa78b
SHA256

0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a
SHA512

09eede7a4dad8ddc7e48f5619948206f38151149f9ff954485dadc5237113147c88f6c8a7c9f8de16957e902af9571280ced5741122837c1995d72fd516400e1
SSDEEP

1536:p6vGSnxySf46wXJKIi8c4AEkdBPD+KGcciccccccccccccccUcccccccHcccccF5:tSxrQiH4EBPKKOn6F6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Executes dropped EXE 21 IoCs

pid	Process
2700	Cnkplejl.exe
1752	Cajlhqjp.exe
1464	Chcddk32.exe
4720	Cnnlaehj.exe
2068	Calhnpgn.exe
1944	Ddjejl32.exe
2224	Dfiafg32.exe
5048	Dopigd32.exe
636	Danecp32.exe
712	Dhhnpjmh.exe
1100	Djgjlelk.exe
4152	Daqbip32.exe
3664	Dhkjej32.exe
3952	Dodbbdbb.exe
2472	Deokon32.exe
4156	Dhmgki32.exe
4064	Dmjocp32.exe
3364	Deagdn32.exe
1836	Dddhpjof.exe
2564	Dknpmdfc.exe
408	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	408	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2700	1640	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe	84
PID 1640 wrote to memory of 2700	1640	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe	84
PID 1640 wrote to memory of 2700	1640	0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe	84
PID 2700 wrote to memory of 1752	2700	Cnkplejl.exe	85
PID 2700 wrote to memory of 1752	2700	Cnkplejl.exe	85
PID 2700 wrote to memory of 1752	2700	Cnkplejl.exe	85
PID 1752 wrote to memory of 1464	1752	Cajlhqjp.exe	86
PID 1752 wrote to memory of 1464	1752	Cajlhqjp.exe	86
PID 1752 wrote to memory of 1464	1752	Cajlhqjp.exe	86
PID 1464 wrote to memory of 4720	1464	Chcddk32.exe	87
PID 1464 wrote to memory of 4720	1464	Chcddk32.exe	87
PID 1464 wrote to memory of 4720	1464	Chcddk32.exe	87
PID 4720 wrote to memory of 2068	4720	Cnnlaehj.exe	88
PID 4720 wrote to memory of 2068	4720	Cnnlaehj.exe	88
PID 4720 wrote to memory of 2068	4720	Cnnlaehj.exe	88
PID 2068 wrote to memory of 1944	2068	Calhnpgn.exe	89
PID 2068 wrote to memory of 1944	2068	Calhnpgn.exe	89
PID 2068 wrote to memory of 1944	2068	Calhnpgn.exe	89
PID 1944 wrote to memory of 2224	1944	Ddjejl32.exe	91
PID 1944 wrote to memory of 2224	1944	Ddjejl32.exe	91
PID 1944 wrote to memory of 2224	1944	Ddjejl32.exe	91
PID 2224 wrote to memory of 5048	2224	Dfiafg32.exe	92
PID 2224 wrote to memory of 5048	2224	Dfiafg32.exe	92
PID 2224 wrote to memory of 5048	2224	Dfiafg32.exe	92
PID 5048 wrote to memory of 636	5048	Dopigd32.exe	93
PID 5048 wrote to memory of 636	5048	Dopigd32.exe	93
PID 5048 wrote to memory of 636	5048	Dopigd32.exe	93
PID 636 wrote to memory of 712	636	Danecp32.exe	94
PID 636 wrote to memory of 712	636	Danecp32.exe	94
PID 636 wrote to memory of 712	636	Danecp32.exe	94
PID 712 wrote to memory of 1100	712	Dhhnpjmh.exe	95
PID 712 wrote to memory of 1100	712	Dhhnpjmh.exe	95
PID 712 wrote to memory of 1100	712	Dhhnpjmh.exe	95
PID 1100 wrote to memory of 4152	1100	Djgjlelk.exe	96
PID 1100 wrote to memory of 4152	1100	Djgjlelk.exe	96
PID 1100 wrote to memory of 4152	1100	Djgjlelk.exe	96
PID 4152 wrote to memory of 3664	4152	Daqbip32.exe	97
PID 4152 wrote to memory of 3664	4152	Daqbip32.exe	97
PID 4152 wrote to memory of 3664	4152	Daqbip32.exe	97
PID 3664 wrote to memory of 3952	3664	Dhkjej32.exe	98
PID 3664 wrote to memory of 3952	3664	Dhkjej32.exe	98
PID 3664 wrote to memory of 3952	3664	Dhkjej32.exe	98
PID 3952 wrote to memory of 2472	3952	Dodbbdbb.exe	99
PID 3952 wrote to memory of 2472	3952	Dodbbdbb.exe	99
PID 3952 wrote to memory of 2472	3952	Dodbbdbb.exe	99
PID 2472 wrote to memory of 4156	2472	Deokon32.exe	100
PID 2472 wrote to memory of 4156	2472	Deokon32.exe	100
PID 2472 wrote to memory of 4156	2472	Deokon32.exe	100
PID 4156 wrote to memory of 4064	4156	Dhmgki32.exe	101
PID 4156 wrote to memory of 4064	4156	Dhmgki32.exe	101
PID 4156 wrote to memory of 4064	4156	Dhmgki32.exe	101
PID 4064 wrote to memory of 3364	4064	Dmjocp32.exe	103
PID 4064 wrote to memory of 3364	4064	Dmjocp32.exe	103
PID 4064 wrote to memory of 3364	4064	Dmjocp32.exe	103
PID 3364 wrote to memory of 1836	3364	Deagdn32.exe	104
PID 3364 wrote to memory of 1836	3364	Deagdn32.exe	104
PID 3364 wrote to memory of 1836	3364	Deagdn32.exe	104
PID 1836 wrote to memory of 2564	1836	Dddhpjof.exe	105
PID 1836 wrote to memory of 2564	1836	Dddhpjof.exe	105
PID 1836 wrote to memory of 2564	1836	Dddhpjof.exe	105
PID 2564 wrote to memory of 408	2564	Dknpmdfc.exe	106
PID 2564 wrote to memory of 408	2564	Dknpmdfc.exe	106
PID 2564 wrote to memory of 408	2564	Dknpmdfc.exe	106

C:\Users\Admin\AppData\Local\Temp\0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe
"C:\Users\Admin\AppData\Local\Temp\0a320d2a73b1d86cd3252d8cb75cd130d27a49b839f77f8963a74675a34fb68a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\Cnkplejl.exe
  C:\Windows\system32\Cnkplejl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Cajlhqjp.exe
    C:\Windows\system32\Cajlhqjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\Chcddk32.exe
      C:\Windows\system32\Chcddk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 400
        23⤵
        Program crash
        
        PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 408 -ip 408
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
57KB

MD5
66ef17137b401cd9cf2e459dc1ec4147

SHA1
b46f153685aed3cc15bce71b2db44458b8e86671

SHA256
a66f5ccb5cd117a50693d4b011ea748bd281b172fae733aa67171d4da99d7c72

SHA512
d78e1a11c52594c6eeff4f13297529621cf4ca3517bbdab8b59902675930b817ad339fc74d977e2bfd69ad7a58e593efb5da576a6fb1d0efd3505ec16a5bd02f

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
57KB

MD5
19cb711484242abcdd1ddfb06e178e3e

SHA1
b1e25bec8905e784655e1aa8896d0750692e1846

SHA256
a1360945e6772af1fdf4c9b9f394f070eea3e47152616863fab3e90f0f05ca08

SHA512
1c5e5cb6b628c3963320d5fab28e4415f49c4484b185aad80398a09aeca68e04691727b026ac33db6884677c82398f18a9fbeec3eeac6c9ae186bdb0b5b75bd9

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
57KB

MD5
7964818524bc803f439bd187b608a679

SHA1
04eee7c0cdcbca794bd3a5a75f5f1378e60916f1

SHA256
9c47abdcbf20588627f33f6155c6a15289639215445fd47cffa979b8f3177994

SHA512
387b475d97729e944e2711115985d87f46c2b58654be5db192d5febde096dc3a3b178eb8112612f736eeca99afdea3a225adc6f39062cf7048de7ed9fc199ff5

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
57KB

MD5
d9fa31c47b5b69f7d17098baa2299860

SHA1
2e7a780e6f13898b9c0a7da2a85b4f074516e94e

SHA256
8b8b710b155cf7f38c3f5083e9ebfbc24cd2c1127ca0fb857273eb11039b5a11

SHA512
2fdd93c5d9f697c84d85235a8d96e8a4746434317639b4eae24e63f3248249332079c0fb067b0271fa4789570c4db6510e474409e4d9fd46e986cf229def459c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
57KB

MD5
925c15d2403b311875d8f1f44065d7eb

SHA1
4af31d307f2427b03c5b264ae24075456dc47942

SHA256
3525a0bf124db8a80845cea0d7ae0e63812be6d585e1ad2f643bcae2d4a0e72f

SHA512
c933efcff51c4b87900e4539d3f681f7aa4e61486ba10b488b5b74960b5b6149188a426116e1f66a4f17a2a2a733e536eddd34c80c175f5f6de830fbfc863d6a

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
57KB

MD5
792a704073cd8c3b13632ddf523488ec

SHA1
aaf494b67095bd2d2661585bc5b846862ed8a51d

SHA256
672ff464686fb43cd457b3a6fa3a9383dc2a8fe43a55c43455588ce85305fcff

SHA512
fcc748dc7f3fbe65ae6ebe5531788a66b16e86499098b655fd56a4dc79b996d1bd2b3d1605a65d1b2ca1c657cbcc177021244a0783b53e8595857e59e6a9aa75

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
57KB

MD5
45ca542af2d4c996782f583bd1b15d2c

SHA1
6f122ad73e92db88b3be99fee6cd127fe2dbdc5d

SHA256
76be04f41a42e97340b3bc9d66732eb6bf6b67885d97c623ae6490324db88cbb

SHA512
b6b72974e3d55864ed8fd4c7527253bbb5bfbfb16b3ec3d01e5c3703a3d228f717d4ebf7aa40be7ea2bef3f0e96b930d9b91b5ddd64318643d807559d5712db2

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
57KB

MD5
ae603b1b670b08238597d7c2dad396a1

SHA1
45817affea8b0f6115744b59ed461fd930738ada

SHA256
1717ccd09d4fbed905f656520082e18c350ff439886bfe4d0b01c3e5773fdf89

SHA512
0b4a5cf18021cd3929db2546890819d87dd2e67835efd9829838540cbe9ffa0a0821038922bcd6f254523447b3326fcd78c15023e5102a0751b7e46a61670460

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
57KB

MD5
b3baad665f46a514a3ce8c6525de444e

SHA1
39b8d03da066bd7496d797382352da435c756dd9

SHA256
e8a03c22ada95a19f8f1fd68e6dbe466e88359cb51506399879bbf343a56b06b

SHA512
00f95fd01952048a7f2de13c47d76583a9574084d866539cd8b358102fe96dabe61bccb9fecdbf92885b4235235cf3e074ab56c7e9799b8d90df63711460d8c9

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
57KB

MD5
674b9645d1aa9d52bcb0c292e73bec84

SHA1
b7e2f501c5b0131fdf8e3bacd3049415448bc5d8

SHA256
0edc4b3fac6005bb63dba53bd29bcd99307d4f5977b24d050c5c6d5cd75bb9b4

SHA512
4a4ef1294a317be5aa2598df0331b016b86347bf4e77c14186a1956bbda45fe9bf207a2cdf6f1e95002b7c41aef2811a1011b3efcae4cadd8a3561d58caab5dd

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
57KB

MD5
451a252c454955579bf8dbbc0348ef73

SHA1
f3278ec38822b0c9abf37cc5d77e01ebc6bce395

SHA256
fcdc62c43949f1b0ff8ac4546efb21a3e174115239f678f96cc9ccbedea1a941

SHA512
53d2c44c394577ecf322690d3502421a8f80f83a4e1678e33f869d317b741094d2a73f738ca14fff7c68e312603114540fff0fd1a39b73689ba390f6cf20fab0

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
57KB

MD5
663a6d58744245b91e3e457ae34e2398

SHA1
a5109ae75624a071f650df0d63f4baac1d210cff

SHA256
4f58866e4318ee3298e2d3cefb3c70be097b5351f1f37621eebc11a060327fc1

SHA512
7a08c2eefdb6ab0e80f0f7b7a574c1c3e9c8b16f5715e700d225f4dc532cc3b8b568fd84c34206b09b23a92fc1292a37207b665811a51a26cf8c95dc76fa10f0

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
57KB

MD5
ee31af6797bde4e6de795a18939a56bd

SHA1
7795dd75a532c47ff79baa1947d8bf7be9b63ee4

SHA256
2c0a0e7db66a7a71d1b2c48d58688642d232d2d5066e13a30a33a108b8366cc3

SHA512
3310e0026914cfa011588ffc87d6a2aae44c520797c4ce3e3e68000a0eacd40786cae2dd5aa7e1d7f32e5a0452fece3561ecdc23e90220099d6538a65c5b692d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
57KB

MD5
f73c76bb4182e6ac588945c568cdcc95

SHA1
818d14aeeb181ccdffc3a194c943367ccff50314

SHA256
67c90afccf92f5990275db42eb5a2bbd8b027c04577f6fff8bf899ef1e16069d

SHA512
d1db90c792c86fbd9d0f61226cb0aae096cde4ea475b6fc70eb797e4df58d3c23487d52b88cdcb3a047fef92094bd458715b88ac69880fd6509f57b37a3c51ef

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
57KB

MD5
2edef54517034ba0078fa190eb7ecdd6

SHA1
fd4d0942675235cb9fdcd2a5643d3c6df1c6d416

SHA256
8da324deb5f6815036f23e1f20ab9cc694bfb0a3ce44c1c31d8bdfe66cc68dd3

SHA512
14b9c594509d3355c978abee35c782f6e2661726b273477be4bd533c99e72696a0df346106f9e22967b078d4fbce111b2d0d2002283c2cdd2ade1c4b1ed1b3ee

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
57KB

MD5
1505fe8fea25bd45dbb342e5356afca2

SHA1
74002537509ec69fe6d9bfdfcc42dd4b22e95e04

SHA256
a890819cce7e30ca66536837f780d0ecc2f06c993bdd43e976af39a865d493af

SHA512
9df481a05ea49cfa901bc42a01f6febd7c3d255c3f2b4c1e6e7b8bb626fcb5884d86d9421b78cdc30f6e9a1afb0d355f1009f8f143b3e0ac0b216d2605c6f266

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
57KB

MD5
b0b4a93f81f88ebbb13842723b435a07

SHA1
363e6fe6e00794d561b7386cfc31dc7abf84eabc

SHA256
79a974d2ff1008dc7ff1b762c7883dd5f59bc22850ce9038cfa74ae30e6832bc

SHA512
970037c165c10d73398189ebf30fd643d70f0528bd735e0802e66206f7377e101f0fe9412aea8f8cd92eb77d4b8482d237629425785ba2032930c71fb2a068ad

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
57KB

MD5
59dcd78863da22979c8da579099a0039

SHA1
6d90f740d82736ddc2718f6f444c10cbd64745da

SHA256
cf3e79f834839732c4a11651a2589576bb4231f80cb3340a986fdd3bb7650cd5

SHA512
259f0d47eec6f41fe3e17f81a38d94ab03e1117ec742c130239e3d76d2d8259b69effe78978f91a78cc44a8b79bcc58acf99cc6f11b44e88bd4ed43cf1c18de8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
57KB

MD5
3d82c6d0092a42f9d315ea35e520921f

SHA1
10e80299e9a1f567ef7e6fc72e45b41dce14a254

SHA256
60ae139c0adef6961609b9758f78b51f9db5f1b866bfcf1df61caabc1a5f1d33

SHA512
837ede393ac02fd2e9ae69047456bf24a574aa79b361d45a9916a5895cc2f81f95077397632e7517a890e0546b8500e4122ff54626810df8ab84c27bc45a4dda

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
57KB

MD5
eb5c32ffab987089ef421cc83d5e4fb4

SHA1
7d13a8d1cac2b0a60cb206368b31d7b60df21c5a

SHA256
8d8143a055fcd932713d98fa24ea872b15901cc8b883d6b9fe069688fb2e1a58

SHA512
25d0884f8c71eb516badfb2c771079db59f404fb8a8d64e0b5cdc05f6997181bd8af864087c31f4917741f743f4b88695ca144d0990a4f2836477292074ce3b3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
57KB

MD5
de6d474c95ec19453072fa47d04d9464

SHA1
cecf52ce993661e0a58d9e219c93ceac8ae84e21

SHA256
83e92bc4001a9f7c652276cda0353f753387ff00850f578bc731fd6cefe34a67

SHA512
32295b881596905ed0e4917d489da6d0b189320a6c42eabc68dc5acd7eaefef83045fb1b2a8bd8550839e2f903d4a2d00445accb9b2a4fb62c8b30b6776f0ec9

Download Submit
memory/408-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/636-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/636-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1752-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1944-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1944-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4152-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4152-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads