Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe
Resource
win10v2004-20241007-en
General
-
Target
7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe
-
Size
69KB
-
MD5
4cd3844bd6b8902ade282004d4151a50
-
SHA1
5487ea36b35209544b9dff407e72c7b4d24752fc
-
SHA256
7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076
-
SHA512
e35e0941c687298f5a85f996712d4fb1b140143889be0027bdeed75bcdcb4ce963eb58a4b1e58e16fa22062c2baedb127cd0ad33f1ee508ef61640767d721a53
-
SSDEEP
768:byB1rEj2Q5SGmPkroXTtf4pBPz23ccc8hcvKO6q/1H5R+cYmtxj0UDYFiqlk/GzX:2B1w2Cj7rojCXPPpNein/GFZCeDAyN
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnlaehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagdn32.exe -
Berbew family
-
Executes dropped EXE 26 IoCs
pid Process 3808 Cagobalc.exe 4896 Cdfkolkf.exe 976 Cjpckf32.exe 2132 Cmnpgb32.exe 4760 Cdhhdlid.exe 2796 Cffdpghg.exe 2960 Cnnlaehj.exe 2068 Calhnpgn.exe 2408 Ddjejl32.exe 5000 Djdmffnn.exe 3676 Danecp32.exe 1720 Dejacond.exe 4396 Dfknkg32.exe 1520 Dobfld32.exe 4696 Daqbip32.exe 1784 Ddonekbl.exe 4276 Dkifae32.exe 3316 Dmgbnq32.exe 4292 Deokon32.exe 2160 Dhmgki32.exe 3524 Dogogcpo.exe 2852 Daekdooc.exe 2588 Deagdn32.exe 4008 Dhocqigp.exe 4776 Dknpmdfc.exe 4240 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Deagdn32.exe Daekdooc.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Ingfla32.dll Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe Dejacond.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Jdipdgch.dll Dobfld32.exe File created C:\Windows\SysWOW64\Amfoeb32.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Dejacond.exe Danecp32.exe File created C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Cagobalc.exe 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe File created C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Danecp32.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Dejacond.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dkifae32.exe File created C:\Windows\SysWOW64\Deokon32.exe Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Echdno32.dll 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe File created C:\Windows\SysWOW64\Cacamdcd.dll Cdfkolkf.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Danecp32.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Deagdn32.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Danecp32.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Pdheac32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Dkifae32.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Deagdn32.exe Daekdooc.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Deagdn32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Deokon32.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Dchfiejc.dll Cdhhdlid.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Elkadb32.dll Deagdn32.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cagobalc.exe File created C:\Windows\SysWOW64\Cdhhdlid.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cnnlaehj.exe File created C:\Windows\SysWOW64\Hdhpgj32.dll Ddjejl32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhocqigp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4940 4240 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cagobalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdhhdlid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" Dfknkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagobalc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 244 wrote to memory of 3808 244 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe 83 PID 244 wrote to memory of 3808 244 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe 83 PID 244 wrote to memory of 3808 244 7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe 83 PID 3808 wrote to memory of 4896 3808 Cagobalc.exe 84 PID 3808 wrote to memory of 4896 3808 Cagobalc.exe 84 PID 3808 wrote to memory of 4896 3808 Cagobalc.exe 84 PID 4896 wrote to memory of 976 4896 Cdfkolkf.exe 85 PID 4896 wrote to memory of 976 4896 Cdfkolkf.exe 85 PID 4896 wrote to memory of 976 4896 Cdfkolkf.exe 85 PID 976 wrote to memory of 2132 976 Cjpckf32.exe 86 PID 976 wrote to memory of 2132 976 Cjpckf32.exe 86 PID 976 wrote to memory of 2132 976 Cjpckf32.exe 86 PID 2132 wrote to memory of 4760 2132 Cmnpgb32.exe 87 PID 2132 wrote to memory of 4760 2132 Cmnpgb32.exe 87 PID 2132 wrote to memory of 4760 2132 Cmnpgb32.exe 87 PID 4760 wrote to memory of 2796 4760 Cdhhdlid.exe 88 PID 4760 wrote to memory of 2796 4760 Cdhhdlid.exe 88 PID 4760 wrote to memory of 2796 4760 Cdhhdlid.exe 88 PID 2796 wrote to memory of 2960 2796 Cffdpghg.exe 89 PID 2796 wrote to memory of 2960 2796 Cffdpghg.exe 89 PID 2796 wrote to memory of 2960 2796 Cffdpghg.exe 89 PID 2960 wrote to memory of 2068 2960 Cnnlaehj.exe 91 PID 2960 wrote to memory of 2068 2960 Cnnlaehj.exe 91 PID 2960 wrote to memory of 2068 2960 Cnnlaehj.exe 91 PID 2068 wrote to memory of 2408 2068 Calhnpgn.exe 92 PID 2068 wrote to memory of 2408 2068 Calhnpgn.exe 92 PID 2068 wrote to memory of 2408 2068 Calhnpgn.exe 92 PID 2408 wrote to memory of 5000 2408 Ddjejl32.exe 93 PID 2408 wrote to memory of 5000 2408 Ddjejl32.exe 93 PID 2408 wrote to memory of 5000 2408 Ddjejl32.exe 93 PID 5000 wrote to memory of 3676 5000 Djdmffnn.exe 95 PID 5000 wrote to memory of 3676 5000 Djdmffnn.exe 95 PID 5000 wrote to memory of 3676 5000 Djdmffnn.exe 95 PID 3676 wrote to memory of 1720 3676 Danecp32.exe 96 PID 3676 wrote to memory of 1720 3676 Danecp32.exe 96 PID 3676 wrote to memory of 1720 3676 Danecp32.exe 96 PID 1720 wrote to memory of 4396 1720 Dejacond.exe 97 PID 1720 wrote to memory of 4396 1720 Dejacond.exe 97 PID 1720 wrote to memory of 4396 1720 Dejacond.exe 97 PID 4396 wrote to memory of 1520 4396 Dfknkg32.exe 98 PID 4396 wrote to memory of 1520 4396 Dfknkg32.exe 98 PID 4396 wrote to memory of 1520 4396 Dfknkg32.exe 98 PID 1520 wrote to memory of 4696 1520 Dobfld32.exe 99 PID 1520 wrote to memory of 4696 1520 Dobfld32.exe 99 PID 1520 wrote to memory of 4696 1520 Dobfld32.exe 99 PID 4696 wrote to memory of 1784 4696 Daqbip32.exe 100 PID 4696 wrote to memory of 1784 4696 Daqbip32.exe 100 PID 4696 wrote to memory of 1784 4696 Daqbip32.exe 100 PID 1784 wrote to memory of 4276 1784 Ddonekbl.exe 102 PID 1784 wrote to memory of 4276 1784 Ddonekbl.exe 102 PID 1784 wrote to memory of 4276 1784 Ddonekbl.exe 102 PID 4276 wrote to memory of 3316 4276 Dkifae32.exe 103 PID 4276 wrote to memory of 3316 4276 Dkifae32.exe 103 PID 4276 wrote to memory of 3316 4276 Dkifae32.exe 103 PID 3316 wrote to memory of 4292 3316 Dmgbnq32.exe 104 PID 3316 wrote to memory of 4292 3316 Dmgbnq32.exe 104 PID 3316 wrote to memory of 4292 3316 Dmgbnq32.exe 104 PID 4292 wrote to memory of 2160 4292 Deokon32.exe 105 PID 4292 wrote to memory of 2160 4292 Deokon32.exe 105 PID 4292 wrote to memory of 2160 4292 Deokon32.exe 105 PID 2160 wrote to memory of 3524 2160 Dhmgki32.exe 106 PID 2160 wrote to memory of 3524 2160 Dhmgki32.exe 106 PID 2160 wrote to memory of 3524 2160 Dhmgki32.exe 106 PID 3524 wrote to memory of 2852 3524 Dogogcpo.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe"C:\Users\Admin\AppData\Local\Temp\7d0080d0be038de18c0765fec867bccfaec1282d130cdef4b17912d805782076N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 39628⤵
- Program crash
PID:4940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4240 -ip 42401⤵PID:3700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD529ce4bfb091174fe3de0ed05880e4892
SHA180a02e8d7353b29063dd8115a801929d1e4b4251
SHA2561c7afe99f72678178fe4f738a71415c7fcd2b7caab4561ba27babddddb0abb2f
SHA512d1c7702d96854194fc4259e133f006b6c564ac235f2b3e42489efb8b97f7751a3656fc21683382028ae6061bf13870df97e95f00cda7a1bf1aafe45a91720d4c
-
Filesize
69KB
MD58f9353cf002eb19f3bca077a0bcaa160
SHA15d8e969883c0d1f039af9283c2956e55a5c01c01
SHA25643dd08450fba59e012576b3a9ed8ed70828f10197a139ee56c234f89785e782c
SHA512bae8a35afb5d6f3d85f6f05956fd5b1e28a604d589e672b6884b0b4a0bdd4b634bc7543fcfcfebe6c37652cf3788a7b60058db4b5e92aabcb00fddb4e6d7f15e
-
Filesize
69KB
MD5fc247efae87ed51388005ec4bd6ae257
SHA14f8b4b3c7aae39ddcfc12054462e947e7fad3243
SHA25661f573259ccd44bc903749669eb7b964d2f8bc905a59a42f5b1542a254615304
SHA51214145f00dec9c4138dfe63dfae03664222bbaf63d6356e560e71968049b7fa885bd84696a7fdd104742d8eefd56d6780bfc011f2d30339fe5f453a12c5492e7e
-
Filesize
69KB
MD513634c9b4bbecbc1ec9f9f62421bfec4
SHA1fdc0ecc903d9ba6256b38116ca93ba919ac978b4
SHA256e08c31cab6f3aeab15c8daf5e056d384f4061a6f8cc56ec515a6d9349b257c40
SHA512555465dcf95f6e82a6144b31234509b298be85f6f9417812bda021f0b2c57a49769772e352c28d374c9d9e2148a7a6eb1fa29c2f4b14784c1b43490bc2b336a6
-
Filesize
69KB
MD5bd2261d1945691c31f0b64a53c3c8459
SHA1f3621e4e0bcb8ee49b95dab777d3165b9a170047
SHA2567930841d040671c9bbd192c40a60f996457a0c9650c28956305f35f7667ead33
SHA512f5e8bfd0e41eafc72bb8d7a9f4b883954c9f1d5ddcb97ab7dc1364c5f9eea463e8b7b3d01cd72fe5330df224a6c88b2da924cec85f16cf9d307bf476dfdb7279
-
Filesize
69KB
MD5a8c8482e6a6d9046968d5d217e04fae0
SHA19a0dc6d5d33b4561713d08442c0affb945063ae5
SHA25610c45a87ca16f25606dc70ad0a7931ae1914e7b6a6f41aefdc3094a101ab06fe
SHA512d0360aa6508e84226be068dad0620331c0a0bc843b83044db1368e8bab0446173a7575499e3403336d4064cfe9aff81787f78febba19cd2c37f836d518e630aa
-
Filesize
69KB
MD54c2fa245a501f9c7d862303b9b785b5c
SHA11e31ce458edb7f28984903291620ecd817d96e6c
SHA256b1190b0afbf4f3e4d1add39c17dcb8f3437864413c16690a5a4912c15064bfee
SHA5126dc7d33e97086a70d31aba269de8f0e254ff3f0855c608f83a17c9f74c476f46decdeb1d043815c1ecf4151add6772ce9d091e70e84e8e765e9f416bc5eca828
-
Filesize
69KB
MD5901e90b53dc04166907fa5847ee2a53e
SHA138cde96d888a4d266bc84ba73208b7eb5eaa45fd
SHA25604423e78d4bc7a657e1ee33ce9cf0c29496a466165641db1d42e0e9ebb90ffc2
SHA5128ae77248065ca8a413a1f2f0f6c1ee13ffba623aed9a6f9ac7f76020e5867b2b5d86d7c6d8eb736353a9e6e8748452c1c7e807d436ff7b82ec4d72434f0ee1b0
-
Filesize
69KB
MD5ec39a367d2b861791052da4e30039f0c
SHA114f1024478b245ba7c274b010fd42385f6e30256
SHA2565eddeac65978cc4d845937bb3aeda59cb3aa38c747f6112a740af611b67f1c03
SHA5124dd6993bfb93144a2e195ccdfe9af9c1c281b90046f73c4f7de83acbeefdc48b3dd7f2a4a6fc2e456f9688ae61b6225865170610ca7becae896bfc656c5ecf22
-
Filesize
69KB
MD55c368f812ce1cd9837bc4e407899c32c
SHA10954c4c590c8d23c412913d8fa3960d19387f370
SHA25639e41c13c7f017044af4d37da7a2390942f40099805638050987e4bafe44d0f5
SHA512e5d6c3ec7cf5441bb98b3b1ee74b3ac0050c1ee4fb850dbd3333862789f2b62ade59b56005355945e10cc255e7d237e607bbb8a4a78b139a512b5af3b1ae14bd
-
Filesize
69KB
MD59210d4439b5b6416088bb17af24b8acd
SHA1cdb4b62f12902c9e23ad91b4774de267f7c7d080
SHA256e73f246ae8a04d83ef66468218aff37e935d54e4dbb7e3fcea6f53be5d61dae0
SHA512008892ea605bc79ddbbfd432e52eb356d8916fd9ef5bb65de17235dea01a2b145a14125303dde8f24c424a934f1b912b3b76de68fe326e98266a340bcd70df38
-
Filesize
69KB
MD538f3edfa7907120a22273191efd317e2
SHA19de35f0829879dbd9130315dc92444476eb1996e
SHA25637d5a260ea47e2b5086d91985c37009577ee89927a133016261da22b1e3289e9
SHA51221e5bca8c57f5bc0049089dd5350a2e6cb2554291fd7170190d83dd348067b3c8675ccdaa393088f5f4a0d12037725c57705adefe52527cb5f4e7536c26b3f96
-
Filesize
69KB
MD5bb0405864a8771c98ead7677c47859f9
SHA14eedc56e972a92e948bff88e9bcce83a75ca4fc0
SHA2568a0ec41b96d65f98d55bf151d430705046dcf8ac7fa5d051c95e5b0a1809bed7
SHA512747589787d51da7fa4290c2832dc0e39fe2af36b0bb7690312f9a951fb730c22b9d956727bde8c3c67226dd7b3bb92c420dc253617634d5b92237d91964a6970
-
Filesize
69KB
MD585b765cd043e60bad2eda148fdde1c6b
SHA14e0d279201a1d3a9513051f2dbf06d17586b47f0
SHA256b1e4be02a6facee4dbd707f63e807f1b7abbd0f7401e40e5b57e9512dca5c10c
SHA512e16f0cb49cdb7564f43afe4d15d6234db4015d2790c5c397124debb7875d4812b7c41f548b4cda49084bcdac62daf6439922f78d573dbd297ae2d823e9bf7325
-
Filesize
69KB
MD5a0a5e6190de7c997da974a7803b08a4d
SHA156834a2e1a8a8446778d4f43ce22e2e3df7ccf5b
SHA2563ef6c56e3c2e1f2537568555dafb4d31d7e5537779905827790225035563ea9a
SHA5126669d9376de7fa63f34ccac925a4d7dd47c47dbeb9de8f6b9e8b9ddd04189615752abe1aa44f5ccb9692d3e2b6f3458769a2e633d1fd899ac158724b346786b7
-
Filesize
69KB
MD5afdec02cb03a594bae8d2584e22d80bc
SHA14071829e48ad0eef2d6d3e505e6ae5c7042efe82
SHA256cf4dbc093da5958d1d672157cb30e7e3a50c9da58d05f04ede96d102ad17cc7f
SHA512f9782abc19b17c9de083f5c94ff86572dd916c6799fff6facbe8bb1ec69d8b2c76d352402acca6737b9450ab53a48f5094dec7bfc3b092ed86c4a11895d4400e
-
Filesize
69KB
MD50c474287f3488e38ab1390e7f1d69c03
SHA12edbb320b294640147e44c90a746040669bd38cd
SHA2562320969085f97dc8181d2deebc7976a4912f1016b7d00e4895d44259effcf7bc
SHA512afc5e143377da87900ff4619055921e42b623ac0e97a4c15dc2f559c26eefbb63cd96e963cb5b6eefc5a97c1ae970964dcf1174d7a6468374dde28ae3488d4d5
-
Filesize
69KB
MD5b51c7dddd7c04b53c1f8e46fcb4e0c7d
SHA1b0f266420b1bdef0c06916bee8002e770681f63e
SHA256c19b2909c81638b78835c4da69076f003db6f0cec9d665afbeb491714ceb4d2c
SHA512be268590ebe7be83ca605b8dc7138c2815b3b83e18098c3f8e0c552998a4d21f77fd80a8e14ea5d7583d52386ee73136cf25c8751f4380589232e51524dcaf63
-
Filesize
69KB
MD5745607b5eb80e41e50fb154225e298c7
SHA1bac8d165ff6be3c925c0c70193d996ca080038d4
SHA2560a5acf465b2aee007b2771dbd38caf6e3dfc5d2b12a1662ec450d788ee15d5aa
SHA5127a4c1b3bc818a63da21087ad5d245486957c555f2162bf8f199da9d39aa67afe2b6b7865f15b252299b0d282cccc7fd26f8c769d492b3d4039d3b6030def0ddc
-
Filesize
69KB
MD569861038d2403ac85533cfbc8829a729
SHA1ea80313b4001a198adbccb57bab85b1369203306
SHA256755975971293d8c1e3f423689733300ad7764b93c71d85f299fd8823a17cc036
SHA51215da98e899028f0920cd4139d291a1b0b1bb0307ded17f821813bf06ee1a288a22a0793a0dd799de268a58f33bdc8c9f7fba617f39a96b4338c4eb64a34588d5
-
Filesize
69KB
MD5162ab6254bc3207df801a3a210656e07
SHA1820f402206e50b2a5501161b9ae76d2ab334c9e0
SHA2564d051d01f6bdf621a38146bd567d42649c17eab536a0aee1820d1458c95c504f
SHA512e21ef7fa3ae3b273e76f205d2702a6cf190466b58c9c21bd86b679e8c2624aa4e175173e2ee6e25857189b934b2611180d50d42612e6d0b6af0a285d344187c3
-
Filesize
69KB
MD5ec9227edd530737a622fe19685f2026f
SHA1f3a10ec3d4575f0502c5078a1eacbd2015738823
SHA256659313aa344afa2211cd0d78e61911968dc2d80c7528233e2adf29947e117eb4
SHA5121c4cf47c6372bdef877c5445c04abbdd6c85d529d74616903294cc619c0c0963aa8bafdaf110747fdaa7315a779523385c34b50bcffe7128b8736f515b689218
-
Filesize
69KB
MD5af3c51825448d565b0036d86705e7a84
SHA1f293ad5d195ec00a0a1afd303e7fc44c17abc81c
SHA2563f398edfb7eadada075b05302f4356b68839eaaca638db5aae1f71ad8c73cbc0
SHA512ec57ffe7f0f41c68ae2418086bde51d11f37acb58e660d003d16007964bb73db852b0aa47ff5abde3677b373f8c0c4d446e44d14ff574da7d86192f057f9f9b6
-
Filesize
69KB
MD55f890d7b6cec963bcc801dd6ba0e49a7
SHA1142301bf0e7363ab6cd5f20803372eb86ce5cac4
SHA2561ff947d4d297e029751cdb5d471338fdbe5cf3462eb5f8489e79401680ef938a
SHA51275758c9d33fed1eb00450251cca5f2fca00db502ca837ff851b256b5da13f31b1aa238a581bb592147ab9f974d0638c55aaac3b4fe7a05166f08064c4921c4a3
-
Filesize
69KB
MD5040df6e12a70ac369eac838ff4647732
SHA19715f84364b3836ae48afed1ddfcf84c44f6c49e
SHA256f22dfc856cad9d8060b8c10fdaff5b62b858f292ea7c1e2974a3f8f2c2db8e73
SHA5129787b9baa25ec2f3f2332eb35fbbc5d29653ce8ca43650d139d2452e28dee7374940feb62bc2308f29f3f6365f38e1bcbc09182e6cdfde47198dfd32df3e6992
-
Filesize
69KB
MD5a63b448f0d1a852a2fae8921fbdc122e
SHA1ea5827697be95c940d1d112aa3c4572619683209
SHA2568c214c09263ca2996e14a1594975d503732ed24afead125c1dfdaef0f3977bb9
SHA512eac079c4ae0448efa9a597bf4ac40be7b90510bf87d1b676b3e7363e5f9737df9d518e7ebdfeeed9dd8d3bbb7ed888955dfced2d5448a2b02c8530cf308a203a