b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Size

64KB
MD5

ff76c58e80f803460d3954b791829820
SHA1

23293de9e60da43dc23476c1818af8372930e515
SHA256

b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0
SHA512

f59230f89b0b7399ad9cfc06ac444003559f1de64bf9406dcd5f9379afc19ebb9c5c2fe5b568d32b3f1ca9ef9179ec960beb0434594164439e301ce76f6b9abc
SSDEEP

1536:cVMvVZ7269M89000lpWFc84kUXruCHcpzt/Idn:tvVZ7j9d000Oc8XpFwn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 20 IoCs

pid	Process
4992	Cfdhkhjj.exe
4340	Cjpckf32.exe
1744	Ceehho32.exe
3936	Cdhhdlid.exe
1212	Cnnlaehj.exe
4976	Calhnpgn.exe
3356	Djdmffnn.exe
1948	Danecp32.exe
1880	Dfknkg32.exe
4468	Djgjlelk.exe
3460	Delnin32.exe
1556	Dhkjej32.exe
3872	Dfnjafap.exe
1008	Dodbbdbb.exe
4324	Dmgbnq32.exe
2012	Deokon32.exe
4552	Dfpgffpm.exe
2972	Dogogcpo.exe
4308	Dknpmdfc.exe
2188	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	2188	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4992	1580	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe	82
PID 1580 wrote to memory of 4992	1580	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe	82
PID 1580 wrote to memory of 4992	1580	b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe	82
PID 4992 wrote to memory of 4340	4992	Cfdhkhjj.exe	83
PID 4992 wrote to memory of 4340	4992	Cfdhkhjj.exe	83
PID 4992 wrote to memory of 4340	4992	Cfdhkhjj.exe	83
PID 4340 wrote to memory of 1744	4340	Cjpckf32.exe	84
PID 4340 wrote to memory of 1744	4340	Cjpckf32.exe	84
PID 4340 wrote to memory of 1744	4340	Cjpckf32.exe	84
PID 1744 wrote to memory of 3936	1744	Ceehho32.exe	85
PID 1744 wrote to memory of 3936	1744	Ceehho32.exe	85
PID 1744 wrote to memory of 3936	1744	Ceehho32.exe	85
PID 3936 wrote to memory of 1212	3936	Cdhhdlid.exe	86
PID 3936 wrote to memory of 1212	3936	Cdhhdlid.exe	86
PID 3936 wrote to memory of 1212	3936	Cdhhdlid.exe	86
PID 1212 wrote to memory of 4976	1212	Cnnlaehj.exe	87
PID 1212 wrote to memory of 4976	1212	Cnnlaehj.exe	87
PID 1212 wrote to memory of 4976	1212	Cnnlaehj.exe	87
PID 4976 wrote to memory of 3356	4976	Calhnpgn.exe	88
PID 4976 wrote to memory of 3356	4976	Calhnpgn.exe	88
PID 4976 wrote to memory of 3356	4976	Calhnpgn.exe	88
PID 3356 wrote to memory of 1948	3356	Djdmffnn.exe	89
PID 3356 wrote to memory of 1948	3356	Djdmffnn.exe	89
PID 3356 wrote to memory of 1948	3356	Djdmffnn.exe	89
PID 1948 wrote to memory of 1880	1948	Danecp32.exe	90
PID 1948 wrote to memory of 1880	1948	Danecp32.exe	90
PID 1948 wrote to memory of 1880	1948	Danecp32.exe	90
PID 1880 wrote to memory of 4468	1880	Dfknkg32.exe	91
PID 1880 wrote to memory of 4468	1880	Dfknkg32.exe	91
PID 1880 wrote to memory of 4468	1880	Dfknkg32.exe	91
PID 4468 wrote to memory of 3460	4468	Djgjlelk.exe	92
PID 4468 wrote to memory of 3460	4468	Djgjlelk.exe	92
PID 4468 wrote to memory of 3460	4468	Djgjlelk.exe	92
PID 3460 wrote to memory of 1556	3460	Delnin32.exe	93
PID 3460 wrote to memory of 1556	3460	Delnin32.exe	93
PID 3460 wrote to memory of 1556	3460	Delnin32.exe	93
PID 1556 wrote to memory of 3872	1556	Dhkjej32.exe	94
PID 1556 wrote to memory of 3872	1556	Dhkjej32.exe	94
PID 1556 wrote to memory of 3872	1556	Dhkjej32.exe	94
PID 3872 wrote to memory of 1008	3872	Dfnjafap.exe	95
PID 3872 wrote to memory of 1008	3872	Dfnjafap.exe	95
PID 3872 wrote to memory of 1008	3872	Dfnjafap.exe	95
PID 1008 wrote to memory of 4324	1008	Dodbbdbb.exe	96
PID 1008 wrote to memory of 4324	1008	Dodbbdbb.exe	96
PID 1008 wrote to memory of 4324	1008	Dodbbdbb.exe	96
PID 4324 wrote to memory of 2012	4324	Dmgbnq32.exe	97
PID 4324 wrote to memory of 2012	4324	Dmgbnq32.exe	97
PID 4324 wrote to memory of 2012	4324	Dmgbnq32.exe	97
PID 2012 wrote to memory of 4552	2012	Deokon32.exe	98
PID 2012 wrote to memory of 4552	2012	Deokon32.exe	98
PID 2012 wrote to memory of 4552	2012	Deokon32.exe	98
PID 4552 wrote to memory of 2972	4552	Dfpgffpm.exe	99
PID 4552 wrote to memory of 2972	4552	Dfpgffpm.exe	99
PID 4552 wrote to memory of 2972	4552	Dfpgffpm.exe	99
PID 2972 wrote to memory of 4308	2972	Dogogcpo.exe	100
PID 2972 wrote to memory of 4308	2972	Dogogcpo.exe	100
PID 2972 wrote to memory of 4308	2972	Dogogcpo.exe	100
PID 4308 wrote to memory of 2188	4308	Dknpmdfc.exe	101
PID 4308 wrote to memory of 2188	4308	Dknpmdfc.exe	101
PID 4308 wrote to memory of 2188	4308	Dknpmdfc.exe	101

C:\Users\Admin\AppData\Local\Temp\b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\Cfdhkhjj.exe
  C:\Windows\system32\Cfdhkhjj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Cjpckf32.exe
    C:\Windows\system32\Cjpckf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\Ceehho32.exe
      C:\Windows\system32\Ceehho32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 404
        22⤵
        Program crash
        
        PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2188 -ip 2188
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
4a0c4c5ddf11e70ab5ce77cc12e517ec

SHA1
340e59c7ac41400ed1b4711529f4aaf2e0018a01

SHA256
d9df55414fcc957dff1940739fe6b2885e43ace8d59266a542a786e08e7a55d3

SHA512
b5304bbd610e8478381aebd3d82a17eb0fd7f340f7d18b32ba6838e72b4d54c8647884b73c4e8981a330b1f9134f8114c89ef811ec45afd6f7205c9711ec6eba

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
19b291a15fafe9853b7b3c2194a3dae7

SHA1
35d2ca7f9e2db268f2703bdf65b6800d82df9d4c

SHA256
2c5a15b18151d992fd3852268a366aa24738eeeea36d237fc84b76342bcb29a2

SHA512
60610dde3ee3c3d5bc9ddcd10efb2de0be401f43a768eaaeba0c290599737425e7bfda6fb871f28b2d7ce732005c66c568ea7e7833b59d177200ade2d3fda240

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
6364cd6ed40c11b4290e6988b2cf5cfd

SHA1
c23912dc2e07c0caffb29b7c3dd3bfa90a30e8dc

SHA256
5bef6e92f8e0714ac8cbbbca36c927850eaccf30d98c2232662bca811e15de16

SHA512
6f7d7b982727048ccfd7bc44d46bd1cd9675a0e23e4aed7aa9abf13ed183475de128b73b7ee8e0789d6f2591d5a3a2326ecbdb4c39312f67562ac9daba0fda12

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
8f0827acee9697332402024764cf4dbf

SHA1
688ea038bf40d0dd25800c32ca5c6ade157544b1

SHA256
fbf3fc20f4ebd1f679b84d0e582487a36a2e1af6bd3d5d9e6ce2d65dfa6b86ac

SHA512
5cfab8d99009df50dadea410462a788138b5a2d4d4c4795b54bf7a4c3679a201b5f3a7433427040af9743043c0a295190632cc74203ebc5a533199f26f4c16ef

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
38374088d9b998fa980f40ef4762116a

SHA1
be6ff4e800d35bd89a1e5281f8b1041c198853fc

SHA256
93b8c58d645691a83806bd48d154f85ddc2fbf3b4117bebff5d595dcec2c2109

SHA512
42865f9c0827f7c1ebadccb4cf704ed163813651755e59b956d3f780056c6401978393f24d25ee8136fddc5ef0dbc2e37274648698b378ab01fdb33dddc0725b

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
fcbfd351274c7e0c0eac252bea3f7520

SHA1
47d27006d37a8dd1dc37820a3e6a67e125a7ea55

SHA256
8e039ad13ba4295ae7e8dfbce6bc7102e8774ca473dfa558d99cc1e983afbdfd

SHA512
56b0d1137927872931df228762d8fe06b97edc455ada9fd774f3b1e1f83a673da62d55aaa1bc361dd579e2d4072cfc48e1007cd4114e91889f8ab470d1083070

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
beddf398bf5f1acfd122ab27d49d6295

SHA1
12423f7dd7eaa06ea347c6e3342a82aefad0a8d1

SHA256
f7d5b6d519673ad59a8477e8f3f7ffcb5f382e06505afb41b22ebb85d06305c6

SHA512
4ccb3b29041ec67162821c768e31f143a1bea6fd477dbd254a831361a02dab8006a74a1e3250eb777c8e98ae172e1ae0207b568bf8d1410c1197a7bb9b502f8c

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
64KB

MD5
94cb3d0b9a188320ea746e4b56be8a0f

SHA1
03a6705c6d3e515b600874ea3bb301e1ebaf99fa

SHA256
7e48d817af47c42642b5aad4e543074db2ca16feef7cba4bfd6e1f7e7b8928f5

SHA512
637b0c7775918455b5758a00b5025a00be2481f8e43176dcb575d2801f35b5bd199819f10739d11fc4e87e4ce8d3fa31aad2621995f26e912e5a52c5d0a260c4

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
6a0ae602d245d72a2162708261afb0cd

SHA1
df9c936c8a51f67fd93c60dcaa7166d63d2e23af

SHA256
d0de50ddaa8bcb09f015d559c99a803c5c2ff41018d7d1d023e5489fa7437c95

SHA512
12f5117af2329443f54244bf2ab950804bb090d2da15dbdd981b5665eec70802011d73a4487b3dc3597a726ff032c1f58c1e21ae93be06073a29ae733685f0c8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
758fd77880c72676709d845add254fb0

SHA1
e37ec45c30f96e403217f4fd84d4623feff32a05

SHA256
f7619fcbbc1c0588ffec561bbc72f6931606d1942ce6323c580b456716f97de1

SHA512
76aefff764e2496ee93904498d13a6565657ec52f3f09523a4b1f25f238f49d6efb7cb78913812180fdf39a88b26fe3a92f3bf826ef55f0c3db610aaea9bd390

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
64KB

MD5
172f5bc23bb0167c79c7fc60a9055968

SHA1
81df6b8dcd13cbc203fba231d982bbd4bce971f8

SHA256
e8acc87b7f1f4d8fb3a8ca595222ca7e7f3201f092470b3ad7ef811eb21b2926

SHA512
2c070a84fe8af11782e8cef8c99e38a55f4d906b878fbdc2e65dec70fe3aaf2131886d3acdba686daa1f6933f5b453fa627ea9f374b0b7692ca7ceac1ff02c30

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
2101273a4b21836c0e56897256afd328

SHA1
a2f13a6e239aae64fa92f7f8d58308423db26a3b

SHA256
eeaeb2edf6b8ac1172b88177bb8e90e512c691169793faf75bc9a32ddf6fe837

SHA512
e3a0db8522dcf51db50ec44268e5d69c8ead5dfe82e32993344a3622b65b575706c9891622731f4ddabf2c2a553e86419e5d6d0e7b5a6e5b0a870527038d10cd

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
ffc61fdb690d39f9559f1febf5d1f86a

SHA1
c581d2e6c418750a349b00bf358f12e8e0ed40b1

SHA256
35d31714f737532a61403b6732720f21f1cc3cfee4fd4bc562409c2dd75246d3

SHA512
a14d0f23c3cf321ccaa9feb9b6b6d77e37f7aa59c9f47a3c498dcc8ca78aaafddd1fa8cfaaacd3c619e98497e2dd8612a482c783529655b40698ed894cc82871

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
64KB

MD5
49ae7a0b030e4b76264bc050ca6fa5c2

SHA1
b33165a2efd8b198cda0c3f1009de4858effaec3

SHA256
dff3c14a4b24564a707883582f42f6084a6d959f62a593d71bd39344f5157cf0

SHA512
5ac4796aec971a1212046bcfa17ad59f4218500c234234ffa994a26f5bf02f33a92e44be3cdfd104271ac7e592636bc396a4c6a6fc23b19c785107406caad6a9

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
d6bbaf15596610f0a9a70c2f372a7d3f

SHA1
a516b7f082fbed29faa12846c531640025d2cd13

SHA256
a17016045913922718c1bca73b6b0c2bbb4db74108f7ea6cbd859bcf6901a72f

SHA512
46c7df8d699af64117a0efdacd48f7b5ad75d55eede674f0ff150bd501debe9c889050a453b758012598b3e2676ede6257c35fa94eb1a49f9f668ec86524952e

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
1b8cb3a5f9b4a746e4ac80c04f60a38e

SHA1
fca9e4a39f8bd74c7357fa89a2d22ebca3d310c0

SHA256
f61c15d8fc1ac2943cf1221efc2182e44d4fca2ad38410922821178e33744adb

SHA512
ba2f24ec9e98cd2dd50e233b6feccc9ecf17985b5cd8c7e19f8527fdf32117cf5b602c8b3c4a5af6d39dec65f424e59520668db3ef9b47bcbd2193792fd4c770

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
1640ed7c779c321df41f1f551c2ee2ea

SHA1
6cbba3d8a1435eb51800b829bd6f0d52c44d5753

SHA256
91f740def2e965a5017f648ce38f040434e7a9ed544c177db51ef0082e004ba4

SHA512
1157d1448b72e04754dfe08a11b5e5eddfb2de5c1a9fb9ffb586012a4370b11cbdc944221f9f2b2bcbc11812ac93969d55fa3489d826bc43cd26ad3cc4b47eff

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
323e4d857c7693a8356acb5e82e45804

SHA1
991307c75ec848b01d2d7228d524d6e66692ea53

SHA256
f8bc0a2decdf6fa79e03098cf11948e862fd03cbec08e6f8ce0863ba9d42d4e3

SHA512
5f9f67a4ea9668d92319120db5fee5de9280774f8cebada79af84bc41a34fb3ffbf316d967c3a772f7332d882a8e3200ffe4380b49fea4d7564486a405bc251e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
64KB

MD5
7821c1f07013aa5708d36ade162b49d8

SHA1
e0185bed06289ff2eb9182200998c06e6ebeb546

SHA256
6f3109d6cf417090bf8951b42f838accdba360ea3f64095be5380897c2cf9595

SHA512
fa843ea308dd333fff81d2a9ca6120a60249f39729b9e5ecd497a39f83f0e88942d7b3f76eee23979b07a6251a9cd44586920a3c7612d8b13110e9c3a4e1dd82

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
ce290f93251f3b83ea64cf795108022a

SHA1
bac262ae813f6a15d4aa57b66eaea510b7ddac7c

SHA256
56e747ce9079467e007a6a816e54e66253616148a80794c9718a3934fe653b63

SHA512
e668fb835cf5056863e6e1f14a546181fcfb40c65ed0031f5ad1b984e044d384c04bd9862bd2082b39f129bd12c2e428802aaf51485b3275e473c44260b8b508

Download Submit
memory/1008-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads