6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Size

73KB
MD5

8df5d3e0a70bef830721c8ac92c22cd0
SHA1

ba0db0472e691b81f2bed97d90d5d9ec0697caa6
SHA256

6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2
SHA512

28b00b2e6df1cf778a3336fa7a8719ec906d489b6d15716bf10f75e0b935cec7aab0c3a5273dcea28c9d915d8152ad7f23eeaba39705f07d523cb4a423cfca61
SSDEEP

1536:mdIL4B8BbfGgzHWr3nCXne70h+guCDXe5YMkhohBM:mdIL4B8N+g6CXne70h+guCDaUAM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe

Executes dropped EXE 20 IoCs

pid	Process
4312	Cdfkolkf.exe
3416	Cjpckf32.exe
3840	Cmnpgb32.exe
2432	Cdhhdlid.exe
1980	Cjbpaf32.exe
1888	Cmqmma32.exe
2532	Cegdnopg.exe
5028	Dfiafg32.exe
2100	Dopigd32.exe
2436	Ddmaok32.exe
2336	Dfknkg32.exe
2376	Dmefhako.exe
2192	Daqbip32.exe
1484	Dmgbnq32.exe
2396	Dhmgki32.exe
312	Dfpgffpm.exe
3312	Daekdooc.exe
396	Dddhpjof.exe
4252	Dgbdlf32.exe
4544	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	4544	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4312	2996	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe	82
PID 2996 wrote to memory of 4312	2996	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe	82
PID 2996 wrote to memory of 4312	2996	6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe	82
PID 4312 wrote to memory of 3416	4312	Cdfkolkf.exe	83
PID 4312 wrote to memory of 3416	4312	Cdfkolkf.exe	83
PID 4312 wrote to memory of 3416	4312	Cdfkolkf.exe	83
PID 3416 wrote to memory of 3840	3416	Cjpckf32.exe	84
PID 3416 wrote to memory of 3840	3416	Cjpckf32.exe	84
PID 3416 wrote to memory of 3840	3416	Cjpckf32.exe	84
PID 3840 wrote to memory of 2432	3840	Cmnpgb32.exe	85
PID 3840 wrote to memory of 2432	3840	Cmnpgb32.exe	85
PID 3840 wrote to memory of 2432	3840	Cmnpgb32.exe	85
PID 2432 wrote to memory of 1980	2432	Cdhhdlid.exe	86
PID 2432 wrote to memory of 1980	2432	Cdhhdlid.exe	86
PID 2432 wrote to memory of 1980	2432	Cdhhdlid.exe	86
PID 1980 wrote to memory of 1888	1980	Cjbpaf32.exe	87
PID 1980 wrote to memory of 1888	1980	Cjbpaf32.exe	87
PID 1980 wrote to memory of 1888	1980	Cjbpaf32.exe	87
PID 1888 wrote to memory of 2532	1888	Cmqmma32.exe	88
PID 1888 wrote to memory of 2532	1888	Cmqmma32.exe	88
PID 1888 wrote to memory of 2532	1888	Cmqmma32.exe	88
PID 2532 wrote to memory of 5028	2532	Cegdnopg.exe	89
PID 2532 wrote to memory of 5028	2532	Cegdnopg.exe	89
PID 2532 wrote to memory of 5028	2532	Cegdnopg.exe	89
PID 5028 wrote to memory of 2100	5028	Dfiafg32.exe	90
PID 5028 wrote to memory of 2100	5028	Dfiafg32.exe	90
PID 5028 wrote to memory of 2100	5028	Dfiafg32.exe	90
PID 2100 wrote to memory of 2436	2100	Dopigd32.exe	91
PID 2100 wrote to memory of 2436	2100	Dopigd32.exe	91
PID 2100 wrote to memory of 2436	2100	Dopigd32.exe	91
PID 2436 wrote to memory of 2336	2436	Ddmaok32.exe	92
PID 2436 wrote to memory of 2336	2436	Ddmaok32.exe	92
PID 2436 wrote to memory of 2336	2436	Ddmaok32.exe	92
PID 2336 wrote to memory of 2376	2336	Dfknkg32.exe	93
PID 2336 wrote to memory of 2376	2336	Dfknkg32.exe	93
PID 2336 wrote to memory of 2376	2336	Dfknkg32.exe	93
PID 2376 wrote to memory of 2192	2376	Dmefhako.exe	94
PID 2376 wrote to memory of 2192	2376	Dmefhako.exe	94
PID 2376 wrote to memory of 2192	2376	Dmefhako.exe	94
PID 2192 wrote to memory of 1484	2192	Daqbip32.exe	95
PID 2192 wrote to memory of 1484	2192	Daqbip32.exe	95
PID 2192 wrote to memory of 1484	2192	Daqbip32.exe	95
PID 1484 wrote to memory of 2396	1484	Dmgbnq32.exe	96
PID 1484 wrote to memory of 2396	1484	Dmgbnq32.exe	96
PID 1484 wrote to memory of 2396	1484	Dmgbnq32.exe	96
PID 2396 wrote to memory of 312	2396	Dhmgki32.exe	97
PID 2396 wrote to memory of 312	2396	Dhmgki32.exe	97
PID 2396 wrote to memory of 312	2396	Dhmgki32.exe	97
PID 312 wrote to memory of 3312	312	Dfpgffpm.exe	98
PID 312 wrote to memory of 3312	312	Dfpgffpm.exe	98
PID 312 wrote to memory of 3312	312	Dfpgffpm.exe	98
PID 3312 wrote to memory of 396	3312	Daekdooc.exe	99
PID 3312 wrote to memory of 396	3312	Daekdooc.exe	99
PID 3312 wrote to memory of 396	3312	Daekdooc.exe	99
PID 396 wrote to memory of 4252	396	Dddhpjof.exe	100
PID 396 wrote to memory of 4252	396	Dddhpjof.exe	100
PID 396 wrote to memory of 4252	396	Dddhpjof.exe	100
PID 4252 wrote to memory of 4544	4252	Dgbdlf32.exe	101
PID 4252 wrote to memory of 4544	4252	Dgbdlf32.exe	101
PID 4252 wrote to memory of 4544	4252	Dgbdlf32.exe	101

C:\Users\Admin\AppData\Local\Temp\6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe
"C:\Users\Admin\AppData\Local\Temp\6fa5b590c382ddd126c638f78ea762502a3d5771cb0ec7388bf4a48a824516d2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\Cdfkolkf.exe
  C:\Windows\system32\Cdfkolkf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\Cmnpgb32.exe
      C:\Windows\system32\Cmnpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 404
        22⤵
        Program crash
        
        PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4544 -ip 4544
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
73KB

MD5
e909e1061509d9526b7b7a7ace70c958

SHA1
51e25c2797662be7ee4771dda1b021bdddd4d63d

SHA256
6325d8e0cac7719d4aef5ab653522a6ef66689839cf807b09a953c9f17cee415

SHA512
5d34e6e8aa90bed6cd778f84805d96d0d880a4734136931dacf09db90805a959c9a5a66ff85253d9e05099c91f88ef0d284a474b6dfd5e820a35c7a67c07ee55

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
73KB

MD5
ffb81502f517be2dc2f98aee472477ed

SHA1
3981001d8b1b89266fd8dcadaf2f472e3d0fb8ac

SHA256
e5b3b65495e3d6fdf4e1e483db164ddbfb1b0fc485b5d2f65e94cb52ca62d64b

SHA512
308196019f92da2e614f85933cb2320a53615e299b5c4e85554870fec0ad4188c578092c88d95f8e5e23159a69f3a412b38ea699a219962193292a566d9e81cf

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
73KB

MD5
78df0cfed8e565634c8f503669230d4b

SHA1
db4fe41163ae04783e7780b99fc7fa4e1f5d795a

SHA256
149652f5ad00c390dc90c364b40b37ec3653679537ed636788031858e58d60ff

SHA512
536799615cce8c9182fb9a7870bbf261c4282b7e1a4bdbe34318aecbf8062b098412d5e5a0fbe2b8290db2b99835a350cd963b7788bb7ef9e19035ccd295f66c

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
73KB

MD5
1a61b011e3105d09558d17216dae73d6

SHA1
c5100c60741c174c0bf9a4fabc4244b7f50bad55

SHA256
f9f80e30b0ba8f9b8f426d9a3efb030ad8ff5cb4109439523664e26b99ccf835

SHA512
3ad80a3f4578098b5eef3cf603478a29c2f77e9b9d3ccb912c51556483bccceadb04b17e003e706e95ea1a8a46ea194c2b0fdd4f0033c83167ed476c0abe5d34

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
73KB

MD5
fc8da539539df467100446eacb223b4e

SHA1
7b9f5bbd11c5b4f57b11ab404b6a53c59d30822a

SHA256
7246356dbe47bddbaacf705fc4e77508adeaecc464df46db501092c8b3c57590

SHA512
a4b0246b67a108133ae572c8c8961475b286cc93585dbe7b57c95db740ecd8d08952e8b6600c4d199a7abb0d5864d2312bb1b783bc030adfe35110dcaeb8a437

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
73KB

MD5
d030a8bb488097eae8c2749b90e7d23a

SHA1
20d6051f9baaa5abcf8324a555e622b1ecea6f71

SHA256
f0d4c7a7b79220f0dae399f71b5125659a3ffa69ebb92affeebe64e908589778

SHA512
a8260d186edd65ed9dcb595378d3a0821d077c2ce36048224d53fdb9d9375a8a5e83f405a2e1ae235f5f1ca34ad91b7d8fe04131b7a81c707543ed8594e54411

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
73KB

MD5
b6b64c85e2de0824fbfe7abcd5384743

SHA1
309d70762ac9a39ae01ed89fd6788e8e7f7363f3

SHA256
2c594e0265be63656e17787be17fa92b2dc494690ed2ccbd4de86388ea3f65fd

SHA512
cb50625a0ac7d643c340ca12bbf3f740ce20d3a6b04aff45e8126c531bd529f2b6840c5d53a8f588227d606ad3c4880a2a1491e7fa7791c5d4dfe04153dcefc2

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
73KB

MD5
50f22076c75efb5ed616c8bff41b78cb

SHA1
e3ebeb7cd31ecf524f34043d2d1f17046caaad3b

SHA256
5303aa63e14a7572defe51b6be9c48cbcdb6a0ac9187e33c3b0e2d7b4f5713d8

SHA512
527bc3653da41d4a4764d9c39968dcdb8ce48a06fa2ba4efbba81c5c357b8795178acc109759426562392c92af3b6870473d56726fa8d47a59af402d8749bae4

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
73KB

MD5
30b1dfea922be2439a8744fb8b4c8488

SHA1
fe0190d189cc25020a65878de8036eed9e413d9f

SHA256
5d98bdd428d60129b7ae430d85c56cf86071244b00bcad1ab244863cadd5e997

SHA512
974856a2b7d85451afbc1962e955e7e441153330bc37261712e73e979bf7be39a14ff17e44a51a4aca487d5e8eca02cdbcd5fa48bfc72922b676423db143eb02

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
73KB

MD5
ca87ff17cc9e578fcde452ada382ee8b

SHA1
66b1d551e6db6cbf49911db62777a293b48831e1

SHA256
374d9ff438858857e509fa927fdc21c723f1b280c06afda4741662227158b8f7

SHA512
a3432be4360ad25c193252f491734dbeb0343972a2e12ce0d41599cbf3884d3dbc2177d76d31611817c962fd3e2e43f2617e07173e045cb74f7321623160c579

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
73KB

MD5
4884f02bc38cc5c824aaec558154c385

SHA1
b8d1772e1591fcecb1eb703e5540f99ebbc36fb7

SHA256
b106305eb8b02936d9d9cb78c378be2c0d5a477ace885a7569fc2d9a85b91cce

SHA512
e0b053b9d5708e44c19cd0c6edb0701c820b07f8597b1e8aa2e413dec7654681c3bc8a46bdb4ee6483116d87090e4bf5a8af51e6ab0d6874612e994a36429931

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
73KB

MD5
c92b19d1e4885597944d372013d28644

SHA1
d20246c540f63b0d17c0cbe85809cd0e16dbe230

SHA256
d1010d04a7b1c1d7a3ade2446e73d25fef25a2dc6330e9c1c6e6970953488599

SHA512
168a0fa8515dae25c7660467a15fecf5841455687748e4c9fba89173ff16133cd516a5c0bb7f9093a0dc755293ebdb235cea965da85cf40cd3c6a88274db8fc8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
73KB

MD5
96b8c61c462bd1f1375fd041c33fa897

SHA1
474510577ded2f6739091f7e933f2c88646fa0e2

SHA256
dca4e1cca017bfa5b566509b2b43b56908c1b1bda59e8659bb93a0876a1269b6

SHA512
a139abcd80067dd96017ca3228242fc84b688dd436952bf3e7bae449f63d25e3dcd786dc5214c84b0d71bf0448c925c09a3d9eb16431625a77cbdbe986366a11

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
73KB

MD5
e7d82abe3cc123d8a03e18ce16d9e3a4

SHA1
34ee5d959486a2313a3019003631e02e29d8a1eb

SHA256
07901caeba363edd93600eb8c606a062e2bb27a1cc9e174c9a9eda04a7c0cfcf

SHA512
406991de127d8007e74dcd7b66daf6a862a7dddcdef6407e45a29dba86929bcf35d60b44dc8f1930a2005e9f108f2273171c99bf89cc3834ce7d70cc6987a792

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
73KB

MD5
8f9e8d18f9b01749deba4fc4ee60ba31

SHA1
18fbb67fcabe829561fe38ad4b7966c519698de1

SHA256
d0a4e76e102e91a2c8d341e1a0231389d7c4a5a806c733278f646a662c3c7f5b

SHA512
c187724457ae728f544babc539f9bb6d9d2a346050a4f172cce21225b05a1e59fd7430740afdfd9e3b2211c0ab892ed3ca293ded17108bd10df56b7bb3fa382c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
73KB

MD5
c3990313a870e3fbeff6ed779ba8c9ae

SHA1
2846136e8741d46ca3a2d15ed2b84ca2a304e6b7

SHA256
872c2ea19020049ea20b0bed8d49ad3e7fc6cd1ddec799706ad18b05f5910f91

SHA512
500fa0d571d1110fe8a1de3ed3f9a47edcf397239c6aeb0e28a07a12acec97c4e41aa00a3a974fbeb248143362ce5a9d8b6c306d084cadffd1e572dec30caf66

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
73KB

MD5
2a2273d190cb1fe360ee2c43ec398b86

SHA1
c480e9d2a6bebb07d12dbedb31b0ccc14c3590fe

SHA256
9c5eabf37b342ebbda79329525b6f30b8d48f24d4aa584e0e137fd62f8f8ec0a

SHA512
f2e8cc9dafe107653db8ddb9d91603ffb5efc4f567cfd0e0ee8c1b5475b5f63fed2bbc07535984520c4528c8cf1d12113e30899b5caca859e447a9ec7017dda2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
73KB

MD5
c1d067620b099acc611244a5cc02b4df

SHA1
cc17a1dc0e4ebbe5897212608cf32d90a785b1eb

SHA256
a328d8ed94915a77a84f1fd9c140ddca9bcea3610739b0c5d5786faf19fdef2d

SHA512
82233b0bf6f3ed29e70a3d6f08b1e85201172ea401a7936ffe7b885b9ad506414c8157a1dd5368bc7d347ff16aac59b56a54461d4c7cbd221412a35212d3566f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
73KB

MD5
f3b704c13b70ef6478a7c642e4ba34bf

SHA1
abdc9f19784e992a1ff55701c13829a89aae43ff

SHA256
af3bdcab81907df8c83c163ca9b6926256960005b7bbebbb9bbc7243c8d7aa90

SHA512
db5e75037e1230ff9b60391c648d1df57137b748b3991f2b979663f217e1890856b43842efd12178650b060246a82bc9b65525ea486d137cbd828235b873c48a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
73KB

MD5
1e4380a9bbcadb10486852ab13d71dbd

SHA1
64571b776d3734d446fe94a51c7892af00912ec6

SHA256
5a31e3d5142efab092475b99e79370551b060b7b4e981b5326b2461079799524

SHA512
cb529e95a061514eda6637dbf791d70b96fb787299560b0d3773c134f69fbdbc8e13d8c6fa5b523b5c7f59fa7cd1f27d9ee570b97fccdcfb6dacb8c0b8b3c620

Download Submit
memory/312-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/312-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3416-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3416-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3840-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads