59abaa47036b19483d7bfba890551c1edaddd6e265455806ca4de2d7e16ce93f

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91575fdea9b7ae5d94f945591bc9ca70N.exe
Size

352KB
MD5

91575fdea9b7ae5d94f945591bc9ca70
SHA1

7ccfc6879530993c9568382e9e5fd6648100cf8e
SHA256

59abaa47036b19483d7bfba890551c1edaddd6e265455806ca4de2d7e16ce93f
SHA512

9ba4aaad0e74933d6120ca325c910a733a65cb38658691694eb9917318103cac02912c95172f973f507d4504f639d824a38843738ecb6d83707276c43f3a5476
SSDEEP

3072:bapbr9VECrdqOJF4EISi/i4gG4nv4H3EzkGSaXiT+9S+a1+s3wNxn:bYbr0CRD4yjwHL/T7Gsyn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Executes dropped EXE 20 IoCs

pid	Process
4544	Cdcoim32.exe
5044	Cmlcbbcj.exe
2528	Cdfkolkf.exe
2904	Cfdhkhjj.exe
3784	Cmnpgb32.exe
4092	Cnnlaehj.exe
3056	Ddjejl32.exe
3452	Dfiafg32.exe
4472	Dopigd32.exe
2828	Djgjlelk.exe
1556	Dmefhako.exe
2024	Dkifae32.exe
3912	Dodbbdbb.exe
1172	Dfpgffpm.exe
3660	Dmjocp32.exe
3268	Deagdn32.exe
4424	Dhocqigp.exe
4536	Dknpmdfc.exe
772	Doilmc32.exe
4912	Dmllipeg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	91575fdea9b7ae5d94f945591bc9ca70N.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	91575fdea9b7ae5d94f945591bc9ca70N.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	91575fdea9b7ae5d94f945591bc9ca70N.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1644	4912	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91575fdea9b7ae5d94f945591bc9ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91575fdea9b7ae5d94f945591bc9ca70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	91575fdea9b7ae5d94f945591bc9ca70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 4544	516	91575fdea9b7ae5d94f945591bc9ca70N.exe	84
PID 516 wrote to memory of 4544	516	91575fdea9b7ae5d94f945591bc9ca70N.exe	84
PID 516 wrote to memory of 4544	516	91575fdea9b7ae5d94f945591bc9ca70N.exe	84
PID 4544 wrote to memory of 5044	4544	Cdcoim32.exe	85
PID 4544 wrote to memory of 5044	4544	Cdcoim32.exe	85
PID 4544 wrote to memory of 5044	4544	Cdcoim32.exe	85
PID 5044 wrote to memory of 2528	5044	Cmlcbbcj.exe	86
PID 5044 wrote to memory of 2528	5044	Cmlcbbcj.exe	86
PID 5044 wrote to memory of 2528	5044	Cmlcbbcj.exe	86
PID 2528 wrote to memory of 2904	2528	Cdfkolkf.exe	87
PID 2528 wrote to memory of 2904	2528	Cdfkolkf.exe	87
PID 2528 wrote to memory of 2904	2528	Cdfkolkf.exe	87
PID 2904 wrote to memory of 3784	2904	Cfdhkhjj.exe	88
PID 2904 wrote to memory of 3784	2904	Cfdhkhjj.exe	88
PID 2904 wrote to memory of 3784	2904	Cfdhkhjj.exe	88
PID 3784 wrote to memory of 4092	3784	Cmnpgb32.exe	89
PID 3784 wrote to memory of 4092	3784	Cmnpgb32.exe	89
PID 3784 wrote to memory of 4092	3784	Cmnpgb32.exe	89
PID 4092 wrote to memory of 3056	4092	Cnnlaehj.exe	90
PID 4092 wrote to memory of 3056	4092	Cnnlaehj.exe	90
PID 4092 wrote to memory of 3056	4092	Cnnlaehj.exe	90
PID 3056 wrote to memory of 3452	3056	Ddjejl32.exe	91
PID 3056 wrote to memory of 3452	3056	Ddjejl32.exe	91
PID 3056 wrote to memory of 3452	3056	Ddjejl32.exe	91
PID 3452 wrote to memory of 4472	3452	Dfiafg32.exe	93
PID 3452 wrote to memory of 4472	3452	Dfiafg32.exe	93
PID 3452 wrote to memory of 4472	3452	Dfiafg32.exe	93
PID 4472 wrote to memory of 2828	4472	Dopigd32.exe	94
PID 4472 wrote to memory of 2828	4472	Dopigd32.exe	94
PID 4472 wrote to memory of 2828	4472	Dopigd32.exe	94
PID 2828 wrote to memory of 1556	2828	Djgjlelk.exe	96
PID 2828 wrote to memory of 1556	2828	Djgjlelk.exe	96
PID 2828 wrote to memory of 1556	2828	Djgjlelk.exe	96
PID 1556 wrote to memory of 2024	1556	Dmefhako.exe	97
PID 1556 wrote to memory of 2024	1556	Dmefhako.exe	97
PID 1556 wrote to memory of 2024	1556	Dmefhako.exe	97
PID 2024 wrote to memory of 3912	2024	Dkifae32.exe	98
PID 2024 wrote to memory of 3912	2024	Dkifae32.exe	98
PID 2024 wrote to memory of 3912	2024	Dkifae32.exe	98
PID 3912 wrote to memory of 1172	3912	Dodbbdbb.exe	100
PID 3912 wrote to memory of 1172	3912	Dodbbdbb.exe	100
PID 3912 wrote to memory of 1172	3912	Dodbbdbb.exe	100
PID 1172 wrote to memory of 3660	1172	Dfpgffpm.exe	101
PID 1172 wrote to memory of 3660	1172	Dfpgffpm.exe	101
PID 1172 wrote to memory of 3660	1172	Dfpgffpm.exe	101
PID 3660 wrote to memory of 3268	3660	Dmjocp32.exe	102
PID 3660 wrote to memory of 3268	3660	Dmjocp32.exe	102
PID 3660 wrote to memory of 3268	3660	Dmjocp32.exe	102
PID 3268 wrote to memory of 4424	3268	Deagdn32.exe	103
PID 3268 wrote to memory of 4424	3268	Deagdn32.exe	103
PID 3268 wrote to memory of 4424	3268	Deagdn32.exe	103
PID 4424 wrote to memory of 4536	4424	Dhocqigp.exe	104
PID 4424 wrote to memory of 4536	4424	Dhocqigp.exe	104
PID 4424 wrote to memory of 4536	4424	Dhocqigp.exe	104
PID 4536 wrote to memory of 772	4536	Dknpmdfc.exe	105
PID 4536 wrote to memory of 772	4536	Dknpmdfc.exe	105
PID 4536 wrote to memory of 772	4536	Dknpmdfc.exe	105
PID 772 wrote to memory of 4912	772	Doilmc32.exe	106
PID 772 wrote to memory of 4912	772	Doilmc32.exe	106
PID 772 wrote to memory of 4912	772	Doilmc32.exe	106

C:\Users\Admin\AppData\Local\Temp\91575fdea9b7ae5d94f945591bc9ca70N.exe
"C:\Users\Admin\AppData\Local\Temp\91575fdea9b7ae5d94f945591bc9ca70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\Cdcoim32.exe
  C:\Windows\system32\Cdcoim32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\Cmlcbbcj.exe
    C:\Windows\system32\Cmlcbbcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\Cdfkolkf.exe
      C:\Windows\system32\Cdfkolkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 396
        22⤵
        Program crash
        
        PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4912 -ip 4912
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
352KB

MD5
61506faa892dc12c3620b36a840cbfde

SHA1
076580b4fcd2a1ba1bfcaf97b406b5dd1cc15717

SHA256
b65023ca6e6787b21e1f01a178a31f4cf8f7f84ecc93e00c984bc2ee60cfe95c

SHA512
d2c40d425a723a0ccf81fd2d16074ba95f50484b2a48a2d667902119a86b00e21e985aac601b619a989e195c0b8d79c71676cd997f16292552cfb710142c192f

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
352KB

MD5
f59b654af377aaa1bbe35921d3060e3c

SHA1
c30338726f7eb0003657bbfdfa96eeecc409b1e9

SHA256
af12a3838176679dd897e17c950daba05216151de3958c469984224925a0d53c

SHA512
b376ad43bc2ec3fd9d31b9b99b321d5e4db5ac4464b85579986c1e93d4a85ba864d335d5c979c975733f055de10abc6eed80e4f474906b0ebae36348d9b12ab9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
352KB

MD5
f719588d31840a2fe6e0f17433e3304b

SHA1
3813b0ce3566def15eff198703a1b2239e0df01f

SHA256
26ddb5521f6a4bd0b90ee8170dc83105e9f1f8f390f95894ef20ad5cf77098e6

SHA512
0ef8e5a349dc156a2a06670074e67a73f52117755397ed35f09b38f53900e7b62686d3070189f8ea9676ef254cefe484712f41c7d8295e142fcd6ef42aa8ab98

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
352KB

MD5
e94bdaf5f4450f39b02f0abaa503528d

SHA1
87472ec98370151afa403bb2ae6bed6b1d8dd3e1

SHA256
e5bd1e6bdd444899bb1e90fd19113365e64d6a0f5dedb9339ef5da5b14ea492b

SHA512
49758b90c8d641909bb688e301f3555e4f90e1dfcc6eaf26fdda33145cbe1705a1582c1a056eb7e0bbe73f8266179c49850091f2fffee729ec41dcc30c247941

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
352KB

MD5
6d10fa759241b54ce9e6d4372bf3a898

SHA1
c6719e6f5f666788ee54e187a9dc5fc18e5eabfd

SHA256
e11300df95d9fbf1c65310d8e11d2a0d38843cfcc84f1168933e2b806068e506

SHA512
1da6201f7398560f4a84c384d4fac7bb50fdbdaad1ca63f6216fc193632d84cd062da05c0544fd425311a1a4995d110f54e2244fee5c705ab4982cecba14c1b7

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
352KB

MD5
0d4b4d43699095d82396f0576754cb1a

SHA1
d34960a905f03a1b3cd7b63ad404ff691290c238

SHA256
af79d8f981c76c7b3c4313a9f810aae8dd19f33bd588a6a7b0daa39d151466c7

SHA512
3fe0c27d3230753feeb584ac372472a195517b456a68c1ff13b0848805951c2cc650fe9715b84a0ad09cf31091af0740cb6d8c6c8cc8f1b9eb1b31d757ee0667

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
352KB

MD5
a8e5632670eb85b8620cea509c7755b5

SHA1
64e912675e06012dc0fa1e23cb32da934dc329a5

SHA256
5e8a8e8e5b28567a07490c128359bd670c5ab6f963d6064051bc7db8b47a9f7b

SHA512
3b70033a412258d693a77a344466cacaf264a5ff28748d24adb4d5f0c15e119a7fdead47eb8f9996656c656b28c6da4a458dd16211ecdc98fff8a294fe86d3a9

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
352KB

MD5
97d77472f93377442b6048371a919afa

SHA1
1aceaeb4e8f32ba564deef00869c24cc57f1bf9c

SHA256
7b7b3b9f75366c0e1b136704e3cd0c64c00cb16e22c0a0bcb2712a809e31526a

SHA512
5a27fb8432f3b5a7fbe3e5d46f1703af465f5246f36d61cbae991dcba9b261e4846808a13077044c40ebba8edb92c04c6095d7abc6aa104a62a55159630cdbc6

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
352KB

MD5
c74c8c47775f77df5d4e1af92806fdfc

SHA1
f1658bb401029479787a7971e86b5eb9707a4047

SHA256
bc88d9cae5f8df37b1054340b76172fb900f49eea6aa597e8fcf2d950f239941

SHA512
d8726bc3d4e73041e49ef260f9fed345a7bc9c3632bdad30388034ed058be0f0b089e274d1c36fee1aba80c33581453abc38e776bcd02d329aeb7dc13ef99fdf

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
352KB

MD5
ddf823be96001f8a002a8bec2b7fab49

SHA1
0d0879616dcf963bc7b0f7880b97b8f7102b4e75

SHA256
5acb4f1c792a11448df1c5c508ef43ff6f73537507295a5fea2ea4c051751444

SHA512
1c6c4bb23362f194137a475ce6ec22bc5431a01c2ed64442aab6213b760e5c22ffb3c0ba099e007d73b92456bae9a8993bbfaa05243126157fb961ea67ec6278

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
352KB

MD5
f68f438c9e3a5828516b2baf08443499

SHA1
133bf03f48eef2afb10959d4c36226909f9c6403

SHA256
2a0cc6cf937c45ac4cf1c3a30c3c4a678e4102ea8652becceb1f737596cae214

SHA512
9a0feef84f2100ff9c2e1c960a3c40c50293e7720e17ec85da59ea1c106f491c864b441d5df51056f8be6efb11e281fbc92cab5fa945a365a60c02b7476d8faa

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
352KB

MD5
3628bc62e7a7baef606b45984ca258c7

SHA1
a0efaadd32be538c21452c3a8ddb7425f85a130c

SHA256
d20591517164220bfdfb07028a6d3b51e20b64af4f0d64d96466eb2831e7df2a

SHA512
ec053afdfad52d5a5fa84dd3dc52e20106cc565fdd1ed57ed922761d7357524c07e00143d344d349875f813196b619dbd01f274bd02584996589a124f522bf96

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
352KB

MD5
5f2bf438cb43c585c17bc843379bd9dd

SHA1
453b53a736fe619ddf05be7d324e7f7690f02150

SHA256
8051b66e85869970716294d6a40cded1ab368396b52be7dd2c54bb52328c8f86

SHA512
cdf5759c5efdb0ba8b4b0f34451ddde2b06fcffb1cfc195122d7f78df400d3ff2c060b87c10461014c23f708d7b089cc9c22ae36433766d1929bd51819c28fde

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
352KB

MD5
4b56a0b23d08666d7b44a908ed7188ff

SHA1
6df6f3414749bed99aa6d61d6db7aa677f9e6d1b

SHA256
fc780a6d39fe05c73e6cde01c0cfa9e52809881cb4d7822497e938e015d8b82f

SHA512
8a21d2825980319aa65cc209c5ee52ab7e1b864641ff1b7a2b9caade84502df086f76b8157263b98d8d39632916ab6b30e30b86f15824ef33ee694a31753820f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
352KB

MD5
24c88bffa0628bffd08b8ae889b91e24

SHA1
1b809a781dd6b4d6e95733b5e2222d2c6031b016

SHA256
27eb01fd47464e88b4c3cfe5107518ac76b25eb815136aceeaed474542d9abe0

SHA512
b7442df5a49ab1f364b2b2c5f206445ae350e7d316a95b4d4967e691c8fa6fd53d2058b4f649ac79e1ef53b196e91cf7fb7671877b9d082d36f7adedbcd34b77

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
352KB

MD5
ea20fc7c911ed5a319ee7d5f03dc0232

SHA1
d9b1a12c515be87792eb97465631b45b2dad6413

SHA256
168df1eb78ee29848ece52e5004a1f9b18c9ddeedb4b512222c25b520d9a8466

SHA512
a983738eac5671e0593791d22ff50f32e72fcb8d610313bd452bb65659e7cc8c16659ad1997e77f469effba555c217671928d79dda50a3a10d7b26a3cd2ee5e7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
352KB

MD5
39d579c901f39d8fa74779da6b4405ef

SHA1
a6e7253dcf1ca17fc835072e7e742bfa781e24a5

SHA256
c38a18581303fec9f1bb276ae21322386701f2c22c4ba924abad1bd5c3caac83

SHA512
b92ff5deddc7391587e4b211f377b0bc1387abbb00930cb5482fc8ab1e2d4434e2eda24183e5562b14af692e40286898532f9287dacba1980e80101dd53f0cec

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
352KB

MD5
e91066dbaf903aae89d80b4eac9cdcc8

SHA1
08cc05708d2c18e0aea55a9d0fb408c343f5b921

SHA256
a864355a01c8bd929e9a4b3e3d3e0abd964b6810ca41425540846e380143e319

SHA512
e2556f7816d6cb9553ee2967e70134285828cb9205a402cf6117b6e73d0e4e79fecdad61cdd92290d014e20ae1df6e072b5cee5741e633ff937efdbdab4122b0

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
352KB

MD5
606be37fb7be2f5fec49d7767cd618c3

SHA1
092daa2c401fca173fc529aa88da3a03cd27d828

SHA256
d262592d03ebaf3b726d6a85ebba3b9f8f5f360bf3f4c2da030b0b7cf8308a70

SHA512
5c03a03e1b577305d6272326ba20886875010d99b135de04e70876a7c358e97428ced5f3af30ca5cb6810bb5c6636ae7c0e803b89599009f0aa98453e1f019b6

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
352KB

MD5
0ae6c5bca61c5b9bc20b798daac0e72e

SHA1
38a292acf9cdee8c8dbf5a12a7730b0de6fcdbbf

SHA256
ea0153a9d4ee7f8417dd419d8df59729a678d28b72e116f14a80cc32630d3ba5

SHA512
d6986d3b458729c719dfa4feab5c700cadcdad4f5002f6690ae28f88d7ad6794fb2724f35b18f0395e004e5718a3f420134665176e40271bada988b8d74b2f96

Download Submit
memory/516-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads