abe2cf1dd806510b83b8113bdc81040118afa780f1f1a06e34485eabee87a574

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7417176fff38c16482634b3022bfa800N.exe
Size

96KB
MD5

7417176fff38c16482634b3022bfa800
SHA1

e40a68153f80f4bb4371f69ec992dcfa59c50a83
SHA256

abe2cf1dd806510b83b8113bdc81040118afa780f1f1a06e34485eabee87a574
SHA512

5447c758d2f46cc24cbde328057ded1c03baafe303a70a738d42fd6b3e3997d3d01317f46e959b84f4d1a249a25c047cdd4a14806106a76b2b2d579c50412bac
SSDEEP

1536:atBzilyJrpNGcRqB+/cwZgj30gO2LtZS/FCb4noaJSNzJO/:4A8BOU3zGtZSs4noakXO/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7417176fff38c16482634b3022bfa800N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7417176fff38c16482634b3022bfa800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe

Executes dropped EXE 21 IoCs

pid	Process
1568	Cffdpghg.exe
3252	Cnnlaehj.exe
1232	Cmqmma32.exe
5024	Cegdnopg.exe
804	Dhfajjoj.exe
3528	Dfiafg32.exe
1480	Dopigd32.exe
676	Dejacond.exe
3308	Dhhnpjmh.exe
4824	Dobfld32.exe
3196	Daqbip32.exe
2844	Ddonekbl.exe
1752	Dfnjafap.exe
1208	Dodbbdbb.exe
452	Daconoae.exe
1740	Ddakjkqi.exe
1052	Dfpgffpm.exe
2012	Dmjocp32.exe
2540	Deagdn32.exe
2700	Dgbdlf32.exe
4092	Dmllipeg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	7417176fff38c16482634b3022bfa800N.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	7417176fff38c16482634b3022bfa800N.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	7417176fff38c16482634b3022bfa800N.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	4092	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7417176fff38c16482634b3022bfa800N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	7417176fff38c16482634b3022bfa800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7417176fff38c16482634b3022bfa800N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7417176fff38c16482634b3022bfa800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7417176fff38c16482634b3022bfa800N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7417176fff38c16482634b3022bfa800N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7417176fff38c16482634b3022bfa800N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1568	5080	7417176fff38c16482634b3022bfa800N.exe	83
PID 5080 wrote to memory of 1568	5080	7417176fff38c16482634b3022bfa800N.exe	83
PID 5080 wrote to memory of 1568	5080	7417176fff38c16482634b3022bfa800N.exe	83
PID 1568 wrote to memory of 3252	1568	Cffdpghg.exe	84
PID 1568 wrote to memory of 3252	1568	Cffdpghg.exe	84
PID 1568 wrote to memory of 3252	1568	Cffdpghg.exe	84
PID 3252 wrote to memory of 1232	3252	Cnnlaehj.exe	85
PID 3252 wrote to memory of 1232	3252	Cnnlaehj.exe	85
PID 3252 wrote to memory of 1232	3252	Cnnlaehj.exe	85
PID 1232 wrote to memory of 5024	1232	Cmqmma32.exe	86
PID 1232 wrote to memory of 5024	1232	Cmqmma32.exe	86
PID 1232 wrote to memory of 5024	1232	Cmqmma32.exe	86
PID 5024 wrote to memory of 804	5024	Cegdnopg.exe	87
PID 5024 wrote to memory of 804	5024	Cegdnopg.exe	87
PID 5024 wrote to memory of 804	5024	Cegdnopg.exe	87
PID 804 wrote to memory of 3528	804	Dhfajjoj.exe	89
PID 804 wrote to memory of 3528	804	Dhfajjoj.exe	89
PID 804 wrote to memory of 3528	804	Dhfajjoj.exe	89
PID 3528 wrote to memory of 1480	3528	Dfiafg32.exe	90
PID 3528 wrote to memory of 1480	3528	Dfiafg32.exe	90
PID 3528 wrote to memory of 1480	3528	Dfiafg32.exe	90
PID 1480 wrote to memory of 676	1480	Dopigd32.exe	91
PID 1480 wrote to memory of 676	1480	Dopigd32.exe	91
PID 1480 wrote to memory of 676	1480	Dopigd32.exe	91
PID 676 wrote to memory of 3308	676	Dejacond.exe	92
PID 676 wrote to memory of 3308	676	Dejacond.exe	92
PID 676 wrote to memory of 3308	676	Dejacond.exe	92
PID 3308 wrote to memory of 4824	3308	Dhhnpjmh.exe	93
PID 3308 wrote to memory of 4824	3308	Dhhnpjmh.exe	93
PID 3308 wrote to memory of 4824	3308	Dhhnpjmh.exe	93
PID 4824 wrote to memory of 3196	4824	Dobfld32.exe	95
PID 4824 wrote to memory of 3196	4824	Dobfld32.exe	95
PID 4824 wrote to memory of 3196	4824	Dobfld32.exe	95
PID 3196 wrote to memory of 2844	3196	Daqbip32.exe	96
PID 3196 wrote to memory of 2844	3196	Daqbip32.exe	96
PID 3196 wrote to memory of 2844	3196	Daqbip32.exe	96
PID 2844 wrote to memory of 1752	2844	Ddonekbl.exe	97
PID 2844 wrote to memory of 1752	2844	Ddonekbl.exe	97
PID 2844 wrote to memory of 1752	2844	Ddonekbl.exe	97
PID 1752 wrote to memory of 1208	1752	Dfnjafap.exe	98
PID 1752 wrote to memory of 1208	1752	Dfnjafap.exe	98
PID 1752 wrote to memory of 1208	1752	Dfnjafap.exe	98
PID 1208 wrote to memory of 452	1208	Dodbbdbb.exe	99
PID 1208 wrote to memory of 452	1208	Dodbbdbb.exe	99
PID 1208 wrote to memory of 452	1208	Dodbbdbb.exe	99
PID 452 wrote to memory of 1740	452	Daconoae.exe	100
PID 452 wrote to memory of 1740	452	Daconoae.exe	100
PID 452 wrote to memory of 1740	452	Daconoae.exe	100
PID 1740 wrote to memory of 1052	1740	Ddakjkqi.exe	102
PID 1740 wrote to memory of 1052	1740	Ddakjkqi.exe	102
PID 1740 wrote to memory of 1052	1740	Ddakjkqi.exe	102
PID 1052 wrote to memory of 2012	1052	Dfpgffpm.exe	103
PID 1052 wrote to memory of 2012	1052	Dfpgffpm.exe	103
PID 1052 wrote to memory of 2012	1052	Dfpgffpm.exe	103
PID 2012 wrote to memory of 2540	2012	Dmjocp32.exe	104
PID 2012 wrote to memory of 2540	2012	Dmjocp32.exe	104
PID 2012 wrote to memory of 2540	2012	Dmjocp32.exe	104
PID 2540 wrote to memory of 2700	2540	Deagdn32.exe	105
PID 2540 wrote to memory of 2700	2540	Deagdn32.exe	105
PID 2540 wrote to memory of 2700	2540	Deagdn32.exe	105
PID 2700 wrote to memory of 4092	2700	Dgbdlf32.exe	106
PID 2700 wrote to memory of 4092	2700	Dgbdlf32.exe	106
PID 2700 wrote to memory of 4092	2700	Dgbdlf32.exe	106

C:\Users\Admin\AppData\Local\Temp\7417176fff38c16482634b3022bfa800N.exe
"C:\Users\Admin\AppData\Local\Temp\7417176fff38c16482634b3022bfa800N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\Cffdpghg.exe
  C:\Windows\system32\Cffdpghg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\Cnnlaehj.exe
    C:\Windows\system32\Cnnlaehj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\Cmqmma32.exe
      C:\Windows\system32\Cmqmma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 220
        23⤵
        Program crash
        
        PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4092 -ip 4092
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
e7376bb352d871dcd3ccb3a5ac06981a

SHA1
0e04d3ca15a6eb45c2d9729ad20eba538ad55d59

SHA256
87c390d437ec45a5f1745ef0f0b2b5e70d7a4984a94866a226b6757f24fdff31

SHA512
844551e840846f2a755b917e6eb532d73b391a825e714884e84296ca41b2a92ebd62fd4e08b49e5ce1e44bafc9d143b08164a52e4013e0fedaa26f301d2ab5b4

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
66cc6789ac2549476920df21cad4270f

SHA1
66c28b52b763f8994c5e071c3d92b915634c28a4

SHA256
c02dca0ca40d82948e6adde5067e0149be0b292506f6493d34e17482a8bd3ab2

SHA512
762a955253650a8ef8955d61472d525e1f988c4ba120afc8ca7d99ba512ba36c90bf6b3c868ee9b1b82bc62b6e276debc52e964e18f8929b76fd7094f284b79a

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
440c7deee4579c6824e23a58e7c7a7cb

SHA1
c044f4b2275570113fee24c8cea20369a6975692

SHA256
0d159282fb033882c417fd31760a7ec02e0efd72104c9432c06eab60507583ae

SHA512
7727059255694b28a089da6c9066e7beec9d4c2fa32d7a11928b49da10e12905facf7f86bffd3209881d0fdbd0921e6f611464f5d747c828e1539507dd7ec3dc

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
e872cccd1f0fbffa3034908ceef326c9

SHA1
c29db5ed8c251221203a160a924d13e6f0e3c10f

SHA256
cc2a1e58a4e16af71274c7896973d4b3144d458d79ef4415a021029218fe97d0

SHA512
aa34d9cb524566d25fbf1d8e426d4b616503fa5cfa811ea6a77cefc9ad78779dde043185902c4c265eae00dbca964c1eeb17376d70bdeab131c6b1701cd63dd1

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
6fb5502d98c8a5573b068162c7af0421

SHA1
dbecad5dbd31901f0567bfe1de0b57260577444f

SHA256
473ae64578fba7fffb8843390b8ce3467fced5e0d0284b8ad91009cb11497e7f

SHA512
525cc7980b283c859298d476a7d01c3007fe3fff8d519fa4185e4c74e7c2b8438c740a96b70d9b25cf64a91db62a84eedf93c56e0b7d6e0593a54ce0170071ce

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
bfab64c985e73563ce48bca7c26f1b0f

SHA1
d46ffa2ee3c591faabf1ce0de69275f1a3174c40

SHA256
2f746cffc235ace3bb8288050e20796f93ea64bcf4be9714ef584fe51212eb0a

SHA512
40ede6fdb1e128dce2c7840060423f4f1d1e0c8b8ca7cb5fab26e8a3c7828af955b6c352cb708299a53e1b6cf63bec9165c87d640990779da36d25dd9c069d14

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
8811ebe3e3c700ee14d6d2d3e95cc0f8

SHA1
2523c73023c4f86d2d1113738b66750531abb808

SHA256
949ce1c66d447799117c144bd81432edc44dfea3c6aa892c1dea722e7dea1e87

SHA512
865060674171e7b35314990beb31eb2ff3cb259a079964a58f168df0f973397da1f224ca5509befd7e06e863c554c9e8307009219bfa6273082fbe2569cf5286

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
703a5e9af60301172a9ec2962e5dbad6

SHA1
45c2bfb002158629d1b288624af9eae7689a285e

SHA256
8e62645822ceba6d6dfcc1f944a72cac306703f893ecc99481bf8370797ec48a

SHA512
ae29266c8f82a34fec018ff12009354c1c876c7a22400974073aff5615e163285715e6b4654c2afbd523015bf214a233b2fe5ed51498319ad9187cc98f5903bf

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
5b0d8a83dbe96082990730698b6ad92a

SHA1
e207612a7904cc28d8762b488bac3ab74645c686

SHA256
48522a8e9ba81ad892eb0ee193c32ff0e8393ef6168b65a86e605e8fe7ab1fc8

SHA512
9cd3e81b91459253bc0798407f30c7d54cedebaddc63229b5467b3d95e878f233e4bdbaac65e6147ba1dd2df287acb11149c7ff2722d6b5688e108f1c3584500

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
9421a4f2692bdb3a6508bb8846d6d677

SHA1
39cfce90dfad4b09002d1574147a4ba9616c5137

SHA256
d13b5dc6d6dc984c94518ce7ba243c4217911054d2659163645172220f019407

SHA512
3bae5234cd19835f71dc454d95790199e6083296ee388c687a515c01f1660bb5275d96fd9bd32a9551ec5f9b5af6295924c959b5572c1384a0d411ead217db46

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
cf623b8df071332c3fd97aeee4224c69

SHA1
84aac74245a341560de209ae5e90c8627114d5cc

SHA256
b2ed2287b1038bf13c03428d9c11f3a94c8997f3c14535d064ef53957d9a9072

SHA512
a8bace140996688e9b48bff9599ab0c762b2db8a6ac20aa6fa6661c49da639e17327dd9484851f5649acc0b760e04f043a600e8a5053a66cf5623ae74de78859

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
8cab8e4a1ba3deec18076cfe2f3e8fc6

SHA1
df814819afd4338bf1cf879dfc2ed65167b13945

SHA256
f64b6b44daa77dbbddce28c5ce4f0c19e3216ace24b8e76c568743b429236343

SHA512
4f3d7906b175a6ff21d14d6b564587fdba46feb5a945b24767b25ff5dc097d17b3868e41b42adb22873ba57e5df1a3af6fd6ce8dffd244304de8077464f3b23a

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
a113be5a36f6121f068726292930fc0f

SHA1
17be87ff84d762b8089113ced0ac5eadbe581544

SHA256
fbebee7b3b8edbe524bce848d473bee16ceffe956b98ad64762befa8eeffdb6e

SHA512
121168e9013e7df713cd17f1dd77d1ceb1fbe1b7aa3ee7c9fd8c6f3281a2f2067415c372d0a6356ae5485945bfd920edeb2d9003fceebe9d4849d700a29bc1b7

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
14aff1388997af0f2316026880859c89

SHA1
c90d6ee26235e2816684a1c4340fd0c1139e7b9e

SHA256
3bc195604e044acdce56fa059082db66a85720a7f8249f89ae6f151f254d4feb

SHA512
af0c431bf73e7957a18b53f0adbcb708af227754c92eb8bf9c7795f698b1f93f08c3a49d331196632ee3d42105c23dc2dfedf353b4294e9bf1de4069f3778ac6

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
b4b57b32a9dbe6345e567de0e26e8668

SHA1
dd97c1de752c0d7041e8d6f68bc2a3cebc76dc8a

SHA256
8489299230d6892c5036d72759ac79c398165b4d8d6c6f1366a2c2a9cd02b414

SHA512
50660a21752b984dbec6e636cfb1585da119cd289b9f93fb6d78631e22605828cbb98ca39ea17a6a3531218c729db6ee2cdbb5586d51636dbc0b6992816543a5

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
123f4902a141607d83da1913206b9a93

SHA1
d5249bacd7c733403314f19b0e65e60ce0032e5d

SHA256
23a21f455c2e4b5624fbd346ad20561fba5adf1492d795df296e7a534d6fd445

SHA512
4a357eeff642354351d8d9f165bc4c946b52c00886dceba738194f5cf7097c75c2266b4d5eb9629a1f649003e6c48e8d4f35b64cdd914364b08daa3f2b44b6d7

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
4c306f46ce9096efae99007eaec44233

SHA1
23f2596c41dc210e699bd66a5016852a6ed9b264

SHA256
e5447a5390eaff6778c614bc11bb1bb5656d8fb946511ea253e48e3907d221cf

SHA512
b6bb83e0240797eb9d2c8c45097130bb52686c78ae5e0ec510bb0bce134e39c3d88a8836673ce143257ac7448f082d7b7959702f72c3d0b320618a6a7dddbb33

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
889b6f80e488400e9dcf6907c366e99a

SHA1
0dffe6fa2abab2344035a5308e3f24635489ab33

SHA256
432052764924b4526466e79dd2db29846fdeb4fec8d41633c8edb44b9b73d4e6

SHA512
dc5716c646801e318b45cdfea8296562f0d6f80ffb0ca6a6ad54231cef4fee9b16fd62db4b8eb16c0dde3cbfe94c0e52452179240a65a2d8a67d9510e54e2edd

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
077a2c1debcb29a327adcd63ec4db231

SHA1
ebc25e128655a4ad8a40701b46c622c9b8d2dcd3

SHA256
b720749aa22a6c704138854bb11e65d9c51a4edce4631fdac7b6ce410c5b8525

SHA512
42f9df989718c907470d0b3103b70065f907df0ead81bd80a3990df63a1faa8c90c1a14ba927de72b3e9e6523d1af8972ca778c86e18b2b6474dde6c5f8bad7a

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
09f5e62fc7a86574d5a3a7ee5b60da38

SHA1
7ff970cd96a2326f8672c8a9cae0ab61f4faa5b7

SHA256
19d8949f9ed8beb850c08672c4e9907cc40b3b96ebc1a4b2ca4e36e3e39420aa

SHA512
ce8f96960854fd7e196999008137332fb46d67575654b85faaead01deb61de86f7c77756bf517793089cab1f90e469310d8dbd880dbb8a98f4a015d08e5c87d8

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
6db481c77e28dfa969e594aa26dcd094

SHA1
e7f69b4087797af8ba0695bca1361df5754080d4

SHA256
268f8013c3e0c216f5898b5a7229166c5af2b4bec014b21b61e714f4e55fd4da

SHA512
87a3e77f8edcfae9852c73bdfd4d0f3ddd609866186ff82fb51e1a64ca2e22c861cd2aa90ead51451eb72019091a0ef7d62a8d78f87efdd1840505cb8dcbb266

Download Submit
memory/452-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads