8c05ac48cd66f6bcebfee2a9b093255b56c0c8ca528d14979a0c48bfac904172

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b11afe7de300980142e5432a019b36a0N.exe
Size

56KB
MD5

b11afe7de300980142e5432a019b36a0
SHA1

ae9d1290d7875d2166bce5c305498993458fc654
SHA256

8c05ac48cd66f6bcebfee2a9b093255b56c0c8ca528d14979a0c48bfac904172
SHA512

07f6a87204e7aeffecb0d861ac3fefd8b8869d084f53c5ac438e66819b91072bab782901de4b35038aa17c593087237e41961c2d29bdea1ed35c351004b3443f
SSDEEP

768:lt7hhd5R/1fkKeP29Ojb7XZc3YASC0PLl9ys82oYU+TnZWBNvkWnbG68beqNx/13:ltJ5V1p2+ONdAS0gwBuyN8beYzt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b11afe7de300980142e5432a019b36a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b11afe7de300980142e5432a019b36a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe

Executes dropped EXE 20 IoCs

pid	Process
2124	Cfdhkhjj.exe
4844	Cmnpgb32.exe
1260	Chcddk32.exe
2752	Cjbpaf32.exe
4776	Calhnpgn.exe
3576	Cegdnopg.exe
4060	Dfiafg32.exe
5016	Dopigd32.exe
4292	Danecp32.exe
3900	Dfknkg32.exe
1536	Dobfld32.exe
2720	Daqbip32.exe
2612	Ddonekbl.exe
1156	Dkifae32.exe
4840	Daconoae.exe
2304	Dhmgki32.exe
4904	Dfpgffpm.exe
2780	Dogogcpo.exe
4600	Dmjocp32.exe
4648	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	b11afe7de300980142e5432a019b36a0N.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	b11afe7de300980142e5432a019b36a0N.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	b11afe7de300980142e5432a019b36a0N.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3268	4648	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b11afe7de300980142e5432a019b36a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b11afe7de300980142e5432a019b36a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b11afe7de300980142e5432a019b36a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	b11afe7de300980142e5432a019b36a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b11afe7de300980142e5432a019b36a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b11afe7de300980142e5432a019b36a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b11afe7de300980142e5432a019b36a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2124	1128	b11afe7de300980142e5432a019b36a0N.exe	83
PID 1128 wrote to memory of 2124	1128	b11afe7de300980142e5432a019b36a0N.exe	83
PID 1128 wrote to memory of 2124	1128	b11afe7de300980142e5432a019b36a0N.exe	83
PID 2124 wrote to memory of 4844	2124	Cfdhkhjj.exe	84
PID 2124 wrote to memory of 4844	2124	Cfdhkhjj.exe	84
PID 2124 wrote to memory of 4844	2124	Cfdhkhjj.exe	84
PID 4844 wrote to memory of 1260	4844	Cmnpgb32.exe	85
PID 4844 wrote to memory of 1260	4844	Cmnpgb32.exe	85
PID 4844 wrote to memory of 1260	4844	Cmnpgb32.exe	85
PID 1260 wrote to memory of 2752	1260	Chcddk32.exe	86
PID 1260 wrote to memory of 2752	1260	Chcddk32.exe	86
PID 1260 wrote to memory of 2752	1260	Chcddk32.exe	86
PID 2752 wrote to memory of 4776	2752	Cjbpaf32.exe	87
PID 2752 wrote to memory of 4776	2752	Cjbpaf32.exe	87
PID 2752 wrote to memory of 4776	2752	Cjbpaf32.exe	87
PID 4776 wrote to memory of 3576	4776	Calhnpgn.exe	88
PID 4776 wrote to memory of 3576	4776	Calhnpgn.exe	88
PID 4776 wrote to memory of 3576	4776	Calhnpgn.exe	88
PID 3576 wrote to memory of 4060	3576	Cegdnopg.exe	89
PID 3576 wrote to memory of 4060	3576	Cegdnopg.exe	89
PID 3576 wrote to memory of 4060	3576	Cegdnopg.exe	89
PID 4060 wrote to memory of 5016	4060	Dfiafg32.exe	91
PID 4060 wrote to memory of 5016	4060	Dfiafg32.exe	91
PID 4060 wrote to memory of 5016	4060	Dfiafg32.exe	91
PID 5016 wrote to memory of 4292	5016	Dopigd32.exe	92
PID 5016 wrote to memory of 4292	5016	Dopigd32.exe	92
PID 5016 wrote to memory of 4292	5016	Dopigd32.exe	92
PID 4292 wrote to memory of 3900	4292	Danecp32.exe	93
PID 4292 wrote to memory of 3900	4292	Danecp32.exe	93
PID 4292 wrote to memory of 3900	4292	Danecp32.exe	93
PID 3900 wrote to memory of 1536	3900	Dfknkg32.exe	95
PID 3900 wrote to memory of 1536	3900	Dfknkg32.exe	95
PID 3900 wrote to memory of 1536	3900	Dfknkg32.exe	95
PID 1536 wrote to memory of 2720	1536	Dobfld32.exe	96
PID 1536 wrote to memory of 2720	1536	Dobfld32.exe	96
PID 1536 wrote to memory of 2720	1536	Dobfld32.exe	96
PID 2720 wrote to memory of 2612	2720	Daqbip32.exe	97
PID 2720 wrote to memory of 2612	2720	Daqbip32.exe	97
PID 2720 wrote to memory of 2612	2720	Daqbip32.exe	97
PID 2612 wrote to memory of 1156	2612	Ddonekbl.exe	98
PID 2612 wrote to memory of 1156	2612	Ddonekbl.exe	98
PID 2612 wrote to memory of 1156	2612	Ddonekbl.exe	98
PID 1156 wrote to memory of 4840	1156	Dkifae32.exe	99
PID 1156 wrote to memory of 4840	1156	Dkifae32.exe	99
PID 1156 wrote to memory of 4840	1156	Dkifae32.exe	99
PID 4840 wrote to memory of 2304	4840	Daconoae.exe	100
PID 4840 wrote to memory of 2304	4840	Daconoae.exe	100
PID 4840 wrote to memory of 2304	4840	Daconoae.exe	100
PID 2304 wrote to memory of 4904	2304	Dhmgki32.exe	101
PID 2304 wrote to memory of 4904	2304	Dhmgki32.exe	101
PID 2304 wrote to memory of 4904	2304	Dhmgki32.exe	101
PID 4904 wrote to memory of 2780	4904	Dfpgffpm.exe	102
PID 4904 wrote to memory of 2780	4904	Dfpgffpm.exe	102
PID 4904 wrote to memory of 2780	4904	Dfpgffpm.exe	102
PID 2780 wrote to memory of 4600	2780	Dogogcpo.exe	103
PID 2780 wrote to memory of 4600	2780	Dogogcpo.exe	103
PID 2780 wrote to memory of 4600	2780	Dogogcpo.exe	103
PID 4600 wrote to memory of 4648	4600	Dmjocp32.exe	105
PID 4600 wrote to memory of 4648	4600	Dmjocp32.exe	105
PID 4600 wrote to memory of 4648	4600	Dmjocp32.exe	105

C:\Users\Admin\AppData\Local\Temp\b11afe7de300980142e5432a019b36a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b11afe7de300980142e5432a019b36a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\Cfdhkhjj.exe
  C:\Windows\system32\Cfdhkhjj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\Cmnpgb32.exe
    C:\Windows\system32\Cmnpgb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Chcddk32.exe
      C:\Windows\system32\Chcddk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 404
        22⤵
        Program crash
        
        PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4648 -ip 4648
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
56KB

MD5
85771065f2a1f9b6cf5726f259056efd

SHA1
aac0251dfcb149b9584cb938d7c223473a1c45c0

SHA256
8ab70cceacd37bf0dec247bf9916b2f6f8d298919676fe13bf910c801c37a320

SHA512
75ab53992a18086bd9f27729ad043cedf37ea30807995bb33741fdddcf7203091f87618d6a414b7e6c7cefac835806ac028c811ede3a2fda9b4fbaf767c34ab8

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
56KB

MD5
c7020563fde09204d675a3219461102a

SHA1
f41afca1cda1786e890f50a86ceae07f39fddacb

SHA256
55138a3911b84e1839d1475b7c72d406b32362964d45bb47d198f9afcf1d6a14

SHA512
434ce48ad5f31391473ff1a743b95881118865eb6a49df52f5ceda5ee83781ccabd372c2c742451aa60a58589d0b673e2c9468d812f8ad39cd329d93581c4c5c

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
56KB

MD5
c4b4fa4b23810889a1edae290254e3ac

SHA1
b1f2c715835c3099206d2de622a1c1fcfc1d8e97

SHA256
bbc2a66896cec8314e5285c2e12c5f2ce183dc1fac13c59050d04a55f1960664

SHA512
413a7707449103369526cdb07e00a7ddefea2b6a366040e9c63d03a357566fba33f0396732880d844a7712f46d9d748bda2d02d81e95a874ae42f272c785a907

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
56KB

MD5
71ad35e6c3c2918f678b58178d881cb8

SHA1
6d732787c34b549c1c76b395891adb48170f6ac7

SHA256
8251e6fed9ec8b4092ae6e554e7c4a0a8fc32394f5d30f98d6d5fc77ee8c64a5

SHA512
17364b1cdb63f4aa7cbec1a73eed31e24029b7592b0f9f8759640f6440a61e280378fed163fd9ad53b35e82d88f3cb059913e28a566cd5c99c6b7d575ffce426

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
56KB

MD5
71b314190eb449159e3cc66767f2e26b

SHA1
d71dd900eb57553d8fb1dbf2967220b91098cc8d

SHA256
38155372b4458506eb6e1081e0902bc37dda46eec0fec8d9f5b854ecddc8110e

SHA512
2ddd8d925b99ed4c69c3cf72c194b7721f396233758771eb4afca242e8e5b942b8620ffaf1ccfab3ae81eb98dc6b05ae9430de43a12156c2be49fd4b9c7e6588

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
56KB

MD5
22aa8c5514675f2d7977688e1cc530a0

SHA1
293b5fde4557a38f40f6a5834a6b78a0b40da6eb

SHA256
92d2151486f807c535d91b0096c6185a627c7df639130e535f3d2ceb5bf27341

SHA512
f70267843388aaad4799a39199e000032678a0129bdaca0d501ae5baac77e309fd3acf19add43afed1e2f26b2df52169160e140ad30709bbb193a93dd23dfcbc

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
56KB

MD5
48163c3cb0fe5ac01bf9f7f3ae9254c0

SHA1
4570ed45eb350eeada36b00aebe856a778c4e558

SHA256
3138b87391771aecca4144372594d661198a9c093e54bb3d799879ac5f94d5bd

SHA512
935013474b29c63a083c5d4e0cbdb78f0d732ab35c423d6139198dadd0d7487e6bec60708c96936081d05bce5cf3cf37087a53063fa95f29f4a410144be17422

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
56KB

MD5
6ade365f7bbd674c36fab7d69e88e617

SHA1
bad54e4ac0e60a6917b995be8702c00b2706242b

SHA256
c3805f056bd8fd2ae0d9106ef88041b4d351eb5b9679b4dc60f08c9236b22e58

SHA512
7e70f129650a07f8159808d656b37b39d9ff2bc460241d2d715c6fee958f84cef7c36dccd038e6f2dae9603b2009f9a27dcec9a35fef081470ad0385f7c76841

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
56KB

MD5
98e256cf5092dcc7fba59cb6475d4061

SHA1
3f554a89480aff1a09462e76b10e213a0bda2413

SHA256
f8dead6bbff2a7b9d7593f0860ea028f1c90735da17c14c0e231174b2aed450d

SHA512
bc44d8dd54a704e9db4c9cd6781691d764a236aad91bf59ceb91d0fa3bb647bb0797defbb608ba10f6b556cc607f5e99ccfb964c192ce19d1ffa9f80e29d19c5

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
56KB

MD5
57ec59e9a6709924a176324175c30561

SHA1
8971f7421abddb1d3b8af6fe6f4fb3da1f844452

SHA256
b81e4fb85c22af34ce338e4307e89f4de511aa57e3c8af999399ddff4554f5e2

SHA512
1b2ac661f27ca0bd0d3521a4c8ae572787e99183a306e316c47b231a87ef01fd7c516f480d0d157fe427526673a6bb98e3c65fdcbeb19c739ebcb5fdc8d5e81f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
56KB

MD5
2a20101309495c561911e4b51ebdded3

SHA1
d48499037367a7cf588733afb3e8f5ef8c9e5f1d

SHA256
10c2b16fefee6f45c318bf2294b2b4f1e5a802dff4ef8cb4350d8dcc66e7b8d8

SHA512
73e50a636b666d3dd52e03dfabfa9f75438febeac7657d1126a935d5b517f50c0e852d5508c5fb1925669610038ad43db9cfa28a1c978b8e842d056eb183350f

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
56KB

MD5
a9aa426bae286a069c1f952fd15fbea9

SHA1
7b752052d1b0b9a19ae1bc25384e864f571e95b6

SHA256
c64a5471f1daa28563d8da888ded72ecaf31bb6ff88880376aeaa9e4405c6f68

SHA512
0b12b60d2d9739ebf34a2e9c69aee99668a43d2647b540953f6bfaed40d61f62f7a2e0633adcd3ab380a40d35bd16fc5e4343c178b12b733317e81ae8719c257

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
56KB

MD5
a017af37f16207523115ff01b5694f6e

SHA1
944812a475be6cc3348dcc6e42b4b683cd7e6f6f

SHA256
07de21e541f383bdcb4287fb5390db922ba68d86ad57a5ad08b28a13af92fa01

SHA512
b4db6f5f4cc1e1940d8f3f6f75fda1b165cd724d33ae9d0a2785d17abeb641c14cd470b2677e0a7d60214bccbca1249fa2d46f8750958fe4fd546ff4d10c88a2

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
56KB

MD5
ea63c893d6ab5d08a89be8402080f928

SHA1
57cd6d4da6f9529fc88bbc93762236a3f3f757bc

SHA256
ef92c8fb2bdf4f1c3ae0e45ee4afdf357fa4959e34fb5bc1ef658c36ebe2d5de

SHA512
da4409ecb35a2b48763d1db34d49bc01a9750486d60b0e6abef2d679aad49bef08da2738f86e7ec25b3eb03f1b2d9d11ec4bea095bf9fa0b908db8b394de256a

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
56KB

MD5
9fb9c0027db64cb09794748263f8e43e

SHA1
4b667d13bd2f37a4964d9d8d6ced13024393f04a

SHA256
b1303ca394b0a75a5dbe0a27d2a5d0adef4b649cfce06b98d4109fcb68ff297b

SHA512
f7de301106e6b8f42e554130fa722d6af02d69160693bbde8afeb8e3d5857329e1ae0a76e5726d47a4b8e23517b1f78c7dd2a8c2a4dabc84afaf1bd966e02a8f

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
56KB

MD5
a52a603e0e05c09d8ac3ef6b3517fceb

SHA1
70357569e852af9404581ef4cfa06b867de1b053

SHA256
5973c9b999e38b07a8a5ee9db2ba45766ed739af4fd549f72cc309bb247f9333

SHA512
d2a304b3e8dfa4be83200e0f860d1ec788d4fee0c06c045f3d11db0e49eddac7f96c53512bb0328defd2a92a83189ec8c88cb6eb13e1c15625e01480d294f1ad

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
56KB

MD5
40017b538a5dfc308666e4363440b31e

SHA1
578741b3f7547a166ace34a58f8cca99b6842072

SHA256
4f560bbe43a955c8cbfb9491a7bf538c2e848abce5503d919092343fb7809762

SHA512
cbccf75b9618431541b9c0fa911f7df3beb297c1a4828ca13d24b4d31aea63c27cee85cd866cc7d52c9a3854e118be92adbf0d3f20d9bac9af67e15ed89e5641

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
56KB

MD5
de4c78b2af32a955c7e2821c0a9f9bf0

SHA1
59d6a6d466e8913a34804e3db094c51c5f12a373

SHA256
090b60508a1230ca744f0f7023414622e9ca95cf1c15176287294be42fe83d13

SHA512
2f8d6cbb7234e9655e40a1e754a79b4c4150a6f46d7811f99b28eaacf22a00a89eace08456eedd08374d8a1c7440ab493b49a8c8fc910441f3a805859bfdc41e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
56KB

MD5
700f0991697c561e227186b3c597c3b6

SHA1
1400093f05c59101d03b5f3b08285d08781474ea

SHA256
b417b64a1bdc431a8c1b5dd372fd342645ee3235d00f27aaba39484ca6298f1f

SHA512
12696daab7e057c97fb0ce3cd7ec91093a9e291443ec132929f423cb4ca7b40e2546430a306add434f45f4f906b8ae01fbbe1e5959312b44279df6126b2be37f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
56KB

MD5
12a293016dd429a244e72464eda81965

SHA1
75388c864082e26cc96432f1360c27050b3076fc

SHA256
ad8a54f1cf6894fb300146c3f2ddf210c91a76622596c98e8aeb00eee099f54a

SHA512
2cb107a172e387a43c88e724cc10ed712558fd130ee9d18dcf3aefffeddd917cddaef43eec242900ee828a8ac6cd3c83c09e8e7a25f561aeb9bd4982c68318d9

Download Submit
memory/1128-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1128-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads