1178ed4b6d65ce561f8a22c4fee84b737726cb94a11f227d447a757ff952c6cb

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4646e5e92a9910eaf6012e6492177190N.exe
Size

94KB
MD5

4646e5e92a9910eaf6012e6492177190
SHA1

1ac45b3f04d447a9e90fcc2b8598a59a4a96ba45
SHA256

1178ed4b6d65ce561f8a22c4fee84b737726cb94a11f227d447a757ff952c6cb
SHA512

53cc3e85baff5e5632fee82cbc6d077685b49077ec9e11477122e3542bfcc26853f88c55082d2f931e5eb252dfcab7991c0a703853c71796a63287e4f288cbc7
SSDEEP

1536:Od44PUUFcAGMow7mnVYWVQX+H/NZtWvzLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9N:E4ZYb9t7aVfH/NZtWLjH6KU90uGimj1g

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4646e5e92a9910eaf6012e6492177190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4646e5e92a9910eaf6012e6492177190N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Executes dropped EXE 20 IoCs

pid	Process
2792	Cajlhqjp.exe
976	Ceehho32.exe
1852	Chcddk32.exe
1536	Cmqmma32.exe
3908	Cegdnopg.exe
8	Dhfajjoj.exe
4372	Djdmffnn.exe
2100	Danecp32.exe
3700	Dejacond.exe
2160	Dfknkg32.exe
2392	Dmefhako.exe
1832	Ddonekbl.exe
3372	Dkifae32.exe
2564	Dmgbnq32.exe
4168	Dhmgki32.exe
4228	Dkkcge32.exe
1704	Dmjocp32.exe
4072	Deagdn32.exe
1820	Dknpmdfc.exe
2904	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clghpklj.dll	4646e5e92a9910eaf6012e6492177190N.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	4646e5e92a9910eaf6012e6492177190N.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	4646e5e92a9910eaf6012e6492177190N.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	2904	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4646e5e92a9910eaf6012e6492177190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4646e5e92a9910eaf6012e6492177190N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	4646e5e92a9910eaf6012e6492177190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4646e5e92a9910eaf6012e6492177190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4646e5e92a9910eaf6012e6492177190N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4646e5e92a9910eaf6012e6492177190N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4646e5e92a9910eaf6012e6492177190N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2792	4788	4646e5e92a9910eaf6012e6492177190N.exe	83
PID 4788 wrote to memory of 2792	4788	4646e5e92a9910eaf6012e6492177190N.exe	83
PID 4788 wrote to memory of 2792	4788	4646e5e92a9910eaf6012e6492177190N.exe	83
PID 2792 wrote to memory of 976	2792	Cajlhqjp.exe	84
PID 2792 wrote to memory of 976	2792	Cajlhqjp.exe	84
PID 2792 wrote to memory of 976	2792	Cajlhqjp.exe	84
PID 976 wrote to memory of 1852	976	Ceehho32.exe	85
PID 976 wrote to memory of 1852	976	Ceehho32.exe	85
PID 976 wrote to memory of 1852	976	Ceehho32.exe	85
PID 1852 wrote to memory of 1536	1852	Chcddk32.exe	86
PID 1852 wrote to memory of 1536	1852	Chcddk32.exe	86
PID 1852 wrote to memory of 1536	1852	Chcddk32.exe	86
PID 1536 wrote to memory of 3908	1536	Cmqmma32.exe	87
PID 1536 wrote to memory of 3908	1536	Cmqmma32.exe	87
PID 1536 wrote to memory of 3908	1536	Cmqmma32.exe	87
PID 3908 wrote to memory of 8	3908	Cegdnopg.exe	88
PID 3908 wrote to memory of 8	3908	Cegdnopg.exe	88
PID 3908 wrote to memory of 8	3908	Cegdnopg.exe	88
PID 8 wrote to memory of 4372	8	Dhfajjoj.exe	89
PID 8 wrote to memory of 4372	8	Dhfajjoj.exe	89
PID 8 wrote to memory of 4372	8	Dhfajjoj.exe	89
PID 4372 wrote to memory of 2100	4372	Djdmffnn.exe	90
PID 4372 wrote to memory of 2100	4372	Djdmffnn.exe	90
PID 4372 wrote to memory of 2100	4372	Djdmffnn.exe	90
PID 2100 wrote to memory of 3700	2100	Danecp32.exe	91
PID 2100 wrote to memory of 3700	2100	Danecp32.exe	91
PID 2100 wrote to memory of 3700	2100	Danecp32.exe	91
PID 3700 wrote to memory of 2160	3700	Dejacond.exe	93
PID 3700 wrote to memory of 2160	3700	Dejacond.exe	93
PID 3700 wrote to memory of 2160	3700	Dejacond.exe	93
PID 2160 wrote to memory of 2392	2160	Dfknkg32.exe	94
PID 2160 wrote to memory of 2392	2160	Dfknkg32.exe	94
PID 2160 wrote to memory of 2392	2160	Dfknkg32.exe	94
PID 2392 wrote to memory of 1832	2392	Dmefhako.exe	95
PID 2392 wrote to memory of 1832	2392	Dmefhako.exe	95
PID 2392 wrote to memory of 1832	2392	Dmefhako.exe	95
PID 1832 wrote to memory of 3372	1832	Ddonekbl.exe	96
PID 1832 wrote to memory of 3372	1832	Ddonekbl.exe	96
PID 1832 wrote to memory of 3372	1832	Ddonekbl.exe	96
PID 3372 wrote to memory of 2564	3372	Dkifae32.exe	98
PID 3372 wrote to memory of 2564	3372	Dkifae32.exe	98
PID 3372 wrote to memory of 2564	3372	Dkifae32.exe	98
PID 2564 wrote to memory of 4168	2564	Dmgbnq32.exe	99
PID 2564 wrote to memory of 4168	2564	Dmgbnq32.exe	99
PID 2564 wrote to memory of 4168	2564	Dmgbnq32.exe	99
PID 4168 wrote to memory of 4228	4168	Dhmgki32.exe	100
PID 4168 wrote to memory of 4228	4168	Dhmgki32.exe	100
PID 4168 wrote to memory of 4228	4168	Dhmgki32.exe	100
PID 4228 wrote to memory of 1704	4228	Dkkcge32.exe	102
PID 4228 wrote to memory of 1704	4228	Dkkcge32.exe	102
PID 4228 wrote to memory of 1704	4228	Dkkcge32.exe	102
PID 1704 wrote to memory of 4072	1704	Dmjocp32.exe	103
PID 1704 wrote to memory of 4072	1704	Dmjocp32.exe	103
PID 1704 wrote to memory of 4072	1704	Dmjocp32.exe	103
PID 4072 wrote to memory of 1820	4072	Deagdn32.exe	104
PID 4072 wrote to memory of 1820	4072	Deagdn32.exe	104
PID 4072 wrote to memory of 1820	4072	Deagdn32.exe	104
PID 1820 wrote to memory of 2904	1820	Dknpmdfc.exe	105
PID 1820 wrote to memory of 2904	1820	Dknpmdfc.exe	105
PID 1820 wrote to memory of 2904	1820	Dknpmdfc.exe	105

C:\Users\Admin\AppData\Local\Temp\4646e5e92a9910eaf6012e6492177190N.exe
"C:\Users\Admin\AppData\Local\Temp\4646e5e92a9910eaf6012e6492177190N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Ceehho32.exe
    C:\Windows\system32\Ceehho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\Chcddk32.exe
      C:\Windows\system32\Chcddk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 396
        22⤵
        Program crash
        
        PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2904 -ip 2904
1⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
94KB

MD5
e4158f739192f36f86cc7693041464a8

SHA1
dae8c4b1037aada690c9ab512d8826d50253af99

SHA256
34b77b15d566d932b6f6c48b147a45bf1d6c960c54a1320722d1321e7c372c0b

SHA512
8665617cdd5c544b594c59769776508dc3be2c36905ad20918eb5b205bfe0fb3184c02ed030515ac3662fee0fefad6a152595577df406a9095eb04e57b080dc9

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
94KB

MD5
aca7e453b1252dd423f3290bb2962358

SHA1
5da5e45caf84102a5e99d50c467ac5febe4db8d6

SHA256
38002dd28c4359b2a6cb70bfd54bb04b78c9dbf74a2cee57d357a4a2d9f84ac5

SHA512
e71b957f41873a5ef31acf6e86ea2cc132a3c2a9d7601d1e55a574d0aac60fa3ca714a1f022aea648f25dbf2bd7b36da5007502d85cbf41eda4489f96da19237

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
94KB

MD5
1812267ffef8f23129195a5385a045db

SHA1
e3a82f019fc8876b6dbe654653545d2db45e4629

SHA256
23f69b1f3f6808eeffb42f8552131ef22d26c5c8197e1f6b4d82018d2ebe799b

SHA512
b25b75fc20649de62f8c420b49371264b10b625eeb68e034fccb0883f6f61c972ecdddecdf974600e47e25256ed94de0ad58de0bce305575936888b358558386

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
94KB

MD5
cd566e27c81470a105319236c27e0a68

SHA1
de978205b024043f9f2fec5881d56bd5921b64ce

SHA256
399857619f54c9200165228e22b83b8c4e644297b775749204c28d438c2e193f

SHA512
9ce6dd7006202bf66693415f09ce006aeb7792c56d0efecf7953ad3c79266757eb4c5c0711cb844dfbef95eb128a670a4ec046bdefb162cb8df6a0109c2c8073

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
94KB

MD5
27015d248fbc6b1a8dc48370a486b9e9

SHA1
dbb99104d52fe01aaa0563c35613652d70b656d1

SHA256
0d568613c8c0b4232a116c368e0672f67ce738f828c50f6c081861ea1c698731

SHA512
d06ce1de144d27a15b6a55a9d3df2c04a76a072eca5150ee0296b6b98f0e4c4a0a6fd05e4025b0c51cb4706caf483a0aa85571384953b583853af7fa054afda2

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
94KB

MD5
fc94a06da90173d34b3a9938134c3196

SHA1
55daa14118493d7c9c6c3d358901bca3c7ef952a

SHA256
d817a3735baa2a4c81f3fa285585209fdaddf84c99a14cdb56b68595e5ccc8a3

SHA512
59d66c24fa8fc9a23c766e20647f30ef8111bb9ca1604101b21ee0b1f5f3335eaaca525b8082c86719f2dba3224014fcfc2464322dff5f31a8e1571e35a9e081

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
94KB

MD5
d54d93abe1573a57bf8541dfd840279f

SHA1
febb06f7071a175539dc60de434ea78252bcb3de

SHA256
2800e04155e8393825f30dca6ce5b6684384caf689f1e95da6b1f51dc43a5c59

SHA512
90eac749ef6c0cc1fad68cf5f8a18da4dd9e30dcbca92826418f98e978fbf68957cced5d8218c68baee00d816afe406e505590d456370250f634fb7ba770b1ee

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
94KB

MD5
99b9eddffe9f8d0c43fbb18235f67765

SHA1
15acded416bbbc11912940ea9942809c95db12a5

SHA256
0ad3d94dd656b4b002524d265870c159294075c3dfef03a3078f6370f55b98f5

SHA512
59e0c7f730662fafce37189fc3c9d59804de7fb3205e5f153179134560e1b64ba13de570b78bc95897cade663c93234c7ee1a1bc39f91b05d0b832b4f6ff5999

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
94KB

MD5
039e9e847e8e2374ec7919be463352cd

SHA1
f9beb0ff104ce33e97dda5d3386af4fde01b15a6

SHA256
23fb74fa06248907a690b413df77d89ab853a3e4aeccd45a1b4b6540e5f0feb8

SHA512
1ee0833b5cdefec2c948e17b559b06406aa380615d23a06e30d04e9766ab9e3b8b3a88fe54111422ed49066f6c1c89c9be8e7d8d8f04cd3deae11303c2b052f9

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
94KB

MD5
8ea004a219917bdedcd0051587b5bc4a

SHA1
962ba530c9c3282969a62bfd894033aebdd644dc

SHA256
2355e8fbca38008579294feaa9f345d0307e2b51675a798b2bf348aeee5cbf96

SHA512
871b102ef028c93d53f754fee4103dd94141e19870c637f21acca68747c29aa58a8bf623a90cb369d04473eb07412be9b962e2303a23e9f404eabb6cd0855003

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
94KB

MD5
f142d37ac812295b2cd3ff2aa30cbe33

SHA1
9c027b9423275abbaa3c6b65af8abbc603fbe673

SHA256
2443a10838f3a220c9f374c58a74d0a8c56cd1ab05564d4983b6eab5a8f309cb

SHA512
b69c0bf9c78920954e872ab5643924177419a7328fd0b6877ef01b9684035920b92039fb5c3cbd306a2fbf18ab837753cb0e2add65bcb276d103056133c98663

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
94KB

MD5
acb8534697ba4548226f4b4321013a31

SHA1
aaf561bbf220bc5a82405f11c9c39a7259eb563f

SHA256
b0af50327b4f33596ec90381e590f2c5eb0233ba648a5dacfae92a595e485e22

SHA512
5eff39d46b4dab79b57abb20b56cd96ac53702139e76a2c711de2fdfe6e124130d4d75a1a3fcd29d2f523192476ca083374ddcb6e868aee7dd9d7146537cd80b

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
94KB

MD5
8f5dec926c98e5ddb9d5f33ce2a28795

SHA1
47eb404ef44e6ffa688e2fdadc25864bbde05f70

SHA256
18887b36ab6b584515d68d12baa512e5d938398123bbca4c5edd72ac8ff3ec8c

SHA512
993919e750bbead74ca53b54330c307c9d3135aae665de698f1c825aa504d0cf5499438c9b100d6c6e3906b11da8dce611ff23d73cfde266a72d1a019a0bf4cd

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
94KB

MD5
a30a7ae55f80428b41eb3d0acedac494

SHA1
f0aa87c28b54f64c60745a497cc200fe5ca99b47

SHA256
db6a5fab2157bebc98657f4aefdc31ef64c3d625e0769602bbc00b189f633a7d

SHA512
dc77bd17106131c404fc92ff03dd684c2dca5f448b570289b42a02226b0f2c5eddac6df6fa14ecb77fcb87b5e005fe4f3623abd19d20a0686aaea61a624814ad

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
94KB

MD5
123948a27c055f12226249f4613d8950

SHA1
5b3d344b71cad8e4b23b2b34d0c0f3fc37eee7d7

SHA256
517869dfb3e9dda3eac49adb3c1869a72dfbe793ce4a9ed99db9253e665b116a

SHA512
72c9d3ec658da56d14751dad434949913d704a5c8cca59da90f3eabf7381a5a5026719fb9baa9d3edce07fac721c0172b7c32e71376ea36a81f60d2bc4c27bc6

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
94KB

MD5
a31f62d1be0c2bc001596e9e90cd4620

SHA1
e3eac39d06621fba6d7ff25893aea8c0dac8058e

SHA256
73876ac08e241b72956b858815126eac45fdba6e2ae1da5dcc547d35e33c886c

SHA512
d110e1c05cc63654030f7a3202e518ee300ad79198acb569e10c9367393969f1c3abe038b7078138021dba09e8ee8e25b78cb97e5d46938f3a074353d123bdc8

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
94KB

MD5
fd89f29d71a2b0f9de23c1eaf7823228

SHA1
b76eb623f42ff19d27c0e3b59d781bc2650cc6e6

SHA256
f84b215ac6455f6db7084862a038a52437c7171c5b17c73bf3bf1d01fc33339e

SHA512
dfaeef8cfc57b5ecd77f90119705d2dc560ae2a043fde8b20aeb9d8170499cc8f4017d652be2d79b72edf27fd0fe3d40289d4e0a488ff6e973c7c07a61e12e81

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
94KB

MD5
4645bf9ffb689aa8b22ecb603a0f3e19

SHA1
91745afa82ccfb89aa0e5f8f9d6be10016f393d8

SHA256
f7ebd8d0e3c567d1b3af05aa38d3854fe088b83d2711303904927d288dbd0536

SHA512
a776d45a35cf1d7db379fea0bfe757860e6df0d50ccde0d20a1de312b49d338cf781fc8c142dafa6b02c978832fcaa9b37c9c85e45f8ec820a2ecf13b6650ad2

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
94KB

MD5
ef4bf3c34b5c5c9af1267042d298cb58

SHA1
b16f3263566611d5f31d18f81e718a1783b97b73

SHA256
85e6bc5e56eb136ece624fbf870193fcfd6e097d322c8c1c59e7471e5bc160e1

SHA512
0c18bb1e01b452889ea7c7a5c65fb2e89fae497a38060aa13552f22b5acc4f690b96a403cf4ef9245cc9c1b09375bc39bce0f63795795bbb1465f72163e8d56a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
94KB

MD5
2f99e49faeda75d6c1e29ec27f07c395

SHA1
da6afdf4c455ca022b52be63a954db7178245d6d

SHA256
b07d152192d1d65f8a68653c0579a15683c218c11f19eaae071e6439d07d91e4

SHA512
8e0015a6192c0461e36952b6c6fac2f34264080e87970fc0f03ae2340fa6faef800f48a82586449e0492336ed308d79551c1bc02141fd9df138f65c9933feb28

Download Submit
memory/8-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/8-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4788-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads