42b237e820f0176408212cc3bb574b5dcc7cc0dc3df0e29dae4fde072ff0e37d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20bc77851471596619695d6fe6cae080N.exe
Size

64KB
MD5

20bc77851471596619695d6fe6cae080
SHA1

4d646ff4dd1afe955f354b88f6460ddf721609db
SHA256

42b237e820f0176408212cc3bb574b5dcc7cc0dc3df0e29dae4fde072ff0e37d
SHA512

b72d45b81db77d17e1a3c0043b07a744dc3dfa920380f72b7e5d07251c37589499a083588901f906136777a2b043b20a90ef7fb39358461328ccb8d9949ead8a
SSDEEP

1536:pk2MlMSe7o2EtyLQkcd3RWZByJvlcYE8Rm0Z:pk24MSIHEtgHFByJvlcY/m0Z

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	20bc77851471596619695d6fe6cae080N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	20bc77851471596619695d6fe6cae080N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe

Executes dropped EXE 23 IoCs

pid	Process
1092	Cjpckf32.exe
2424	Cajlhqjp.exe
3176	Cdhhdlid.exe
4260	Cffdpghg.exe
872	Cmqmma32.exe
4592	Calhnpgn.exe
4996	Ddjejl32.exe
1964	Dfiafg32.exe
2916	Dopigd32.exe
5056	Ddmaok32.exe
4432	Dfknkg32.exe
4952	Dobfld32.exe
3340	Delnin32.exe
4912	Dhkjej32.exe
396	Dodbbdbb.exe
4836	Daconoae.exe
3336	Ddakjkqi.exe
736	Dfpgffpm.exe
448	Dogogcpo.exe
232	Daekdooc.exe
4740	Dddhpjof.exe
968	Dgbdlf32.exe
1952	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	20bc77851471596619695d6fe6cae080N.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	20bc77851471596619695d6fe6cae080N.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	20bc77851471596619695d6fe6cae080N.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	1952	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20bc77851471596619695d6fe6cae080N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	20bc77851471596619695d6fe6cae080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	20bc77851471596619695d6fe6cae080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	20bc77851471596619695d6fe6cae080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	20bc77851471596619695d6fe6cae080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	20bc77851471596619695d6fe6cae080N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1092	1616	20bc77851471596619695d6fe6cae080N.exe	83
PID 1616 wrote to memory of 1092	1616	20bc77851471596619695d6fe6cae080N.exe	83
PID 1616 wrote to memory of 1092	1616	20bc77851471596619695d6fe6cae080N.exe	83
PID 1092 wrote to memory of 2424	1092	Cjpckf32.exe	84
PID 1092 wrote to memory of 2424	1092	Cjpckf32.exe	84
PID 1092 wrote to memory of 2424	1092	Cjpckf32.exe	84
PID 2424 wrote to memory of 3176	2424	Cajlhqjp.exe	85
PID 2424 wrote to memory of 3176	2424	Cajlhqjp.exe	85
PID 2424 wrote to memory of 3176	2424	Cajlhqjp.exe	85
PID 3176 wrote to memory of 4260	3176	Cdhhdlid.exe	86
PID 3176 wrote to memory of 4260	3176	Cdhhdlid.exe	86
PID 3176 wrote to memory of 4260	3176	Cdhhdlid.exe	86
PID 4260 wrote to memory of 872	4260	Cffdpghg.exe	87
PID 4260 wrote to memory of 872	4260	Cffdpghg.exe	87
PID 4260 wrote to memory of 872	4260	Cffdpghg.exe	87
PID 872 wrote to memory of 4592	872	Cmqmma32.exe	88
PID 872 wrote to memory of 4592	872	Cmqmma32.exe	88
PID 872 wrote to memory of 4592	872	Cmqmma32.exe	88
PID 4592 wrote to memory of 4996	4592	Calhnpgn.exe	89
PID 4592 wrote to memory of 4996	4592	Calhnpgn.exe	89
PID 4592 wrote to memory of 4996	4592	Calhnpgn.exe	89
PID 4996 wrote to memory of 1964	4996	Ddjejl32.exe	91
PID 4996 wrote to memory of 1964	4996	Ddjejl32.exe	91
PID 4996 wrote to memory of 1964	4996	Ddjejl32.exe	91
PID 1964 wrote to memory of 2916	1964	Dfiafg32.exe	92
PID 1964 wrote to memory of 2916	1964	Dfiafg32.exe	92
PID 1964 wrote to memory of 2916	1964	Dfiafg32.exe	92
PID 2916 wrote to memory of 5056	2916	Dopigd32.exe	93
PID 2916 wrote to memory of 5056	2916	Dopigd32.exe	93
PID 2916 wrote to memory of 5056	2916	Dopigd32.exe	93
PID 5056 wrote to memory of 4432	5056	Ddmaok32.exe	95
PID 5056 wrote to memory of 4432	5056	Ddmaok32.exe	95
PID 5056 wrote to memory of 4432	5056	Ddmaok32.exe	95
PID 4432 wrote to memory of 4952	4432	Dfknkg32.exe	96
PID 4432 wrote to memory of 4952	4432	Dfknkg32.exe	96
PID 4432 wrote to memory of 4952	4432	Dfknkg32.exe	96
PID 4952 wrote to memory of 3340	4952	Dobfld32.exe	97
PID 4952 wrote to memory of 3340	4952	Dobfld32.exe	97
PID 4952 wrote to memory of 3340	4952	Dobfld32.exe	97
PID 3340 wrote to memory of 4912	3340	Delnin32.exe	98
PID 3340 wrote to memory of 4912	3340	Delnin32.exe	98
PID 3340 wrote to memory of 4912	3340	Delnin32.exe	98
PID 4912 wrote to memory of 396	4912	Dhkjej32.exe	99
PID 4912 wrote to memory of 396	4912	Dhkjej32.exe	99
PID 4912 wrote to memory of 396	4912	Dhkjej32.exe	99
PID 396 wrote to memory of 4836	396	Dodbbdbb.exe	101
PID 396 wrote to memory of 4836	396	Dodbbdbb.exe	101
PID 396 wrote to memory of 4836	396	Dodbbdbb.exe	101
PID 4836 wrote to memory of 3336	4836	Daconoae.exe	102
PID 4836 wrote to memory of 3336	4836	Daconoae.exe	102
PID 4836 wrote to memory of 3336	4836	Daconoae.exe	102
PID 3336 wrote to memory of 736	3336	Ddakjkqi.exe	103
PID 3336 wrote to memory of 736	3336	Ddakjkqi.exe	103
PID 3336 wrote to memory of 736	3336	Ddakjkqi.exe	103
PID 736 wrote to memory of 448	736	Dfpgffpm.exe	104
PID 736 wrote to memory of 448	736	Dfpgffpm.exe	104
PID 736 wrote to memory of 448	736	Dfpgffpm.exe	104
PID 448 wrote to memory of 232	448	Dogogcpo.exe	105
PID 448 wrote to memory of 232	448	Dogogcpo.exe	105
PID 448 wrote to memory of 232	448	Dogogcpo.exe	105
PID 232 wrote to memory of 4740	232	Daekdooc.exe	106
PID 232 wrote to memory of 4740	232	Daekdooc.exe	106
PID 232 wrote to memory of 4740	232	Daekdooc.exe	106
PID 4740 wrote to memory of 968	4740	Dddhpjof.exe	107

C:\Users\Admin\AppData\Local\Temp\20bc77851471596619695d6fe6cae080N.exe
"C:\Users\Admin\AppData\Local\Temp\20bc77851471596619695d6fe6cae080N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\Cjpckf32.exe
  C:\Windows\system32\Cjpckf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\Cajlhqjp.exe
    C:\Windows\system32\Cajlhqjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\Cdhhdlid.exe
      C:\Windows\system32\Cdhhdlid.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 396
        25⤵
        Program crash
        
        PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1952 -ip 1952
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
115efb9f35c7e4da0cc2052a9d0c3395

SHA1
9f0de33dda13a6cbcf3ae2fc1e28d107233444d2

SHA256
60b8dc4973dc2fffd070376a3bb1a0551eeb11d1579b8a116053de6c310b11cb

SHA512
bd1d06f021b1246c6fa7d3a378c73ec4e1d0aa2fa44b354364705095b0afc803a70b3a9d1843c4122efc776b5104b30e2f095f6fd021c6659be864013a3339b5

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
d2677b0a59d7e4bf2171f4df047f8a1c

SHA1
e9b3c7b512a61c2d812501ad216536234a02f117

SHA256
449f1d02ece8cbed8218453cc591f054c33472d82d930a2884e46af379b5e1b5

SHA512
1b4da3ade1d114af1326d62825cdb766e87f8861e260612612cc739e8ab89f2bfdbc9d2afcdff83f87b798c150c7a493f2e81272f437cea33f976113cf41f4a7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
067e8770b79a3dfb446ad434fd6b122f

SHA1
8cd3aa566e52dc9476cf0b471f66dc49c347cf4a

SHA256
09b66adcaf8715e2b531d44b4addeda6b74c5566b183c588c22099dd9a246b9c

SHA512
211b7f26d4a60d99ed34c5773409cd2f0b84a72597409a2bb142701319a3119ca3032c94eb4432089d465f8492d7a14878c5ab21b4bb251b1f19ad9d4b42481e

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
89e2db94a2fbc149d284e979cff009de

SHA1
32ffeaa80d80a1791a191feabd00b288e740a4e9

SHA256
36f37870836233eb330d66942f2fb1f1d808e9dbc38e5e8d737cd51429399c01

SHA512
0fbf5081549086c5f805e573d61a685d3ee6b320b8cdf2bf101875a84e2dd42b1cc838d407c493ca2653ec0be710b1d312d4db677237cc2c45a9982ec9c7334c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
c9b352ee371a9634a017e16ec6dd53cc

SHA1
8b9b7b5850214c5bcaf78608e6792cc8a48b3fd7

SHA256
1d0f07429883e3f80cb517cfe85574e821d44805fa0d4c291917baa8a2693ab3

SHA512
3005d10dafb5656bbc6ba4a524669eb298c3a8acd20c62da1ddeafa5ca2e8880880fefb80af7b0171d6c048cb818010d855412eca82c75011388bc880b68622c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
cfccb1b3786b92096c67ffb837f376b5

SHA1
83ea68bf46fc0a0b17942b18ee956c7e5e14b52d

SHA256
ecd66c846735449f27ef41bbcc438af28ddeeb2249e975a0facf8e767f9ba90f

SHA512
43358c3823f258a738880b25823f5e692cbab41109983b8f1056523775dfdfc5c2013d56867456e6cdf00fd0e7694a976bb48c04ae5fa27f42ba29f00abaf26d

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
14fb1f7337c8684f60453c20b29875ea

SHA1
8004f87c1c17e769844d1a4e2e212f119cdef3d1

SHA256
17ff29edeaa524436205e481564c823c6f37cc4e148bd7e78cce3be47c29f20c

SHA512
629adf9ec887638aab57280c1b71940086dd1c09227bde0a70d1f283bc3f52f56c7157c604d534aeed8c6de5bf946f1a7ccf1064ece337fa7c38f7c4171eaeb1

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
7f5fba92af28625aff0073b0921f436f

SHA1
2faade573368a55779c14a01cb592febc91f5997

SHA256
ff9fa268b20a98dedb8330248857434be63c6912dc84ca51e20290e95866c613

SHA512
c9d0c76765bc2d8de76c9ec9e6db33f8bd088dbd2098228665e2d0f54c9d90158486f884fdf3066d0882e9daa114730e5be4efb60300eee30474c31b65a3650f

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
64KB

MD5
b4812584b03c4cde278770c3beda46dc

SHA1
2c0d055ac5ee16aba70cdeb8aa32816f674c88bc

SHA256
2a860a74da15f63378a527f906af91b04f99823a69834dceba82ffbbd74cc85d

SHA512
a365466d7eb58178d945bc637cc800611c2f14ac9efc4516edaa5a567c4d6ca643de547bb7a359a03a209b32aa3b67ea45d3db1bc02e18a4b2cd6241c5529000

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
64KB

MD5
b8d9988909a145075851b572cfa080b6

SHA1
9236d7a9077ddec48d3e5ee68190bfe4fe9d5cf5

SHA256
720bbca939c1b40fea26522309af71dc90ee7e6d7213675ce41bc9941f0c0724

SHA512
9a02c3c03cdc562784856430bce111b068fd2695ebac49aad62b690e06a4eb86299033d7df584354a79854f2994c696cc83b8f5cc6612d3b96c66b19d3ce7fe9

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
17b5633ad6d5e09998d457c26a88d1e3

SHA1
bd60dc5d61ba558e11ee27ff525abc043b3175b7

SHA256
a5cbc022ee940dfb70995846d1f9b580919b38eb7842271f90d8e15ce20bd988

SHA512
468f236d8dbb6e976db389f57d0fc666d0de647f3f9f218ec5ee4726483d885f79202ab447fea8e8f7707db8aafc92c049c394f36173ac296fbe634fa271dc61

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
dc71bc7cb1f97f28240606371df74d85

SHA1
b8d49a8a3e060dc789b11b68571ab7ceebe1078c

SHA256
b0820e2c8ef410c0a72ee31e632c7d73b699d832596ee810acd132cc613675bf

SHA512
5dceec4ecc929375f8c57986dbb0429a62a8da304fddaa1c85bf80e3bad76f255805520fe32eae07469178b11e16278580b4ef52d19f0df9e43d8e448a302cd5

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
d2281d6d3d1af53b4547e00c812177e2

SHA1
cf2ae7e93c68bf6a92df6be72a40f1bbec0fca29

SHA256
e2047cc813c15293c368afea5234bfa0d6b0549d43eff3ae58ccc4d1813145fc

SHA512
a4598d4027bf6c051ee8fdb4ed9d62ed376b9d46a13e8174605abe1dfd78dfefcf95e9a586b557db342f1af1ad2ee403de9441d57c222ec72ce4946f704ef7fb

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
4c089aedc58121edd32a39391837a55e

SHA1
df7ec23efda1902e64b00f00475c5b417fe0e096

SHA256
bf5501763d641034c173fa43aa29929bc56d73ad69d5a269bb1b5e66488b0838

SHA512
0ffa2a777c16df51908fbb7666b6948829a67b9eea5521a500208d627b2bf0aeaba35e2d68855f3f23aa99dae45e3abbd3bbd26853cdaaea24079a6dd95301a7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
106d47c0a139063ad517c92513e878e5

SHA1
3e5516be86a739c461529f501285154c79ff2503

SHA256
cd9da5e6e11ee91ecba4d131d9c233f7159ee2efab480181466cc9dcca14b01c

SHA512
ba5d381eda72f93c9a29a045bc22c7aa63eb9e991976bbcc4689eb6917a129ead00e55e23a384d72b260c52608089d82d157fdfe9ca4da442362a177da463ec5

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
e7219a6af484fc43f762e82234b207d4

SHA1
00b388e9902534056097cf19b34b732c1b3b5e7f

SHA256
1c4c9b656cd3602b3552a3df3afe0a3ee0bc98e3041c4f75222ef835808216bd

SHA512
1260da9f27ae0bf6aa84209b253213437ac7db46164da7b5dee7ac7f0a06a0d5c3b073f5c66b1cfd723656b12a8b4c70cf494319b45b564616ce88218bbe5b15

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
d3308fd8804bcd6f3fce4a19374bef3d

SHA1
1ee07a28a887e48aacc8ecf42df461771b5a4d8f

SHA256
a5604bd98e728eb24fc66f07b47c9b12c429202abed7365e0d9e4c985e5b145d

SHA512
5833069f3389bdb5ab360d8dcb93250225eb57e73b54bee1cc4605dbfc1bd32164c1b94d812ddd2c4b2b58036c061d42b77258d77175f8abeb55432f1c4a21d2

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
bb08174d178d83200b7bc4dc0623f229

SHA1
33b2ec5a45d1f31d839ce287adef01f96eebc469

SHA256
15ecf6e6619a15825cd1dc41fdffc15c89f2d35d87555324b392129a7a44d7ca

SHA512
a55053efafded986e774343c292262d9c8c866a82731cc249a1f569f44a8246972fde01255e4a1d2eb4ff89b9c3d96209ed40fa87088a180c977622d6486628f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
9ffe4c297caeedf0271a4b88618cefc5

SHA1
bcc0f06dcdf2b95b0fc25cc07777306d34e83397

SHA256
e96e85d8ebfe2bde681358088ac223d2dd97f9e002ae7b19fe6a541fe4e09d0b

SHA512
731f241413a426b7236ae3051a73ea4878111781393d5504182ec76ffa3681b116bf769d54fb7fea27ffbf16027853bbd901e8e41a865f7a6bd09a357db07ca6

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
8b7d03eb697e0a0a9dab5e63308c5643

SHA1
6cecae34d73e1a17cd5e437bd685063474068310

SHA256
0192960871fba66fe66e6872626b1aad456acdaf51c2454370c3e3f37f0c333e

SHA512
41ceaa36ccbb9e9bb0b9d7e167f56dcfe9a8bae35d512e4918e96d511cd44b593521bf2fb31c22bc6b242c5ccbf5bf438bf2f6da2922e3ee23f79915d77a0037

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
30282e9c2bfd09c41708b68fe7df2458

SHA1
bcd84667d9331951bc8ef4bae701e36bb94c0955

SHA256
81a05b586c72a7403e6b9297ae97c3542cf15417958d1d2809ce49be2a3bf14e

SHA512
717d6fc7813a8c55fa3bb146d29a71274c448c3ff33dce94b733a8e04491c8ef91eea3736661e3c3c115444816ed58bd6956d406a3f6e37e0001b3afe25dfb48

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
a2802d29dc765ba07226fde8201a82a0

SHA1
78dbb5d0a6361f6665a02e2fd37ae766c713fb9c

SHA256
943a15b135927244cf9b97ca22a7a2d5f41239c9139cc060662bd16172d34885

SHA512
5c22d15d6da413d1a8ba11569948ba91132e4cae3a0a4571952f45194b8525f78c5f801e96e21b7f195aaf80255dcb0a2c51f3ba3a8bb9f0bc7446960f5c410f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
64KB

MD5
75d127a7af86ae4b1b9acb9b788c32e2

SHA1
78a3c17c0f7b55d435ae51b1079de47f886f6b08

SHA256
2a27204cd0dd4343f5b2d56ab2d6b5b364d16ab4ada9d32d7f362d828eeab953

SHA512
506e62c84dd97796f2547d769e4c2206b06af402df382b314fb87028dafce045cadd2d289d75d37be305a3623d13f6da0ade13daa2454aace0ac854efe57e647

Download Submit
memory/232-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1952-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads