Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe
Resource
win10v2004-20241007-en
General
-
Target
be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe
-
Size
92KB
-
MD5
8b790cad0b498c571317b5d5af416d90
-
SHA1
cb5f6d52907df299081a831518d7300ed4b22152
-
SHA256
be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808
-
SHA512
7341ed9424b32c0bd28ab1aa0d2d327be43084b51f1001845b6d05c7b35239bbc1589e054a6f05a6b12fd58bbde5337553df6359ae03021305fe87db04b2ceb5
-
SSDEEP
1536:JlWIH04xVPaqTFReV+j65YVepJJZIcqID59KOJk24VEI4Lar/ju7JC5:5HTVP97362e/nIcqIOOJF4EISi/iG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Chagok32.exeCnkplejl.exeCalhnpgn.exeDfknkg32.exeDaqbip32.exeCnicfe32.exeDdonekbl.exeDkifae32.exeDogogcpo.exeDjdmffnn.exeDhkjej32.exeDaconoae.exeDmjocp32.exeCffdpghg.exeDhfajjoj.exeDkkcge32.exeDdmaok32.exeBmbplc32.exeCndikf32.exeCeckcp32.exeCeehho32.exeDdjejl32.exeCeqnmpfo.exeDfpgffpm.exeDoilmc32.exeCdhhdlid.exeBhhdil32.exeDaekdooc.exeDddhpjof.exeCjkjpgfi.exeDodbbdbb.exeDanecp32.exeDejacond.exeDjgjlelk.exeBeihma32.exeBjfaeh32.exeCmqmma32.exeCjbpaf32.exeDopigd32.exeDmgbnq32.exeDknpmdfc.exeCdabcm32.exeCegdnopg.exeDfnjafap.exebe0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exeCabfga32.exeCfdhkhjj.exeCajlhqjp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajlhqjp.exe -
Executes dropped EXE 61 IoCs
Processes:
Bmbplc32.exeBeihma32.exeBhhdil32.exeBjfaeh32.exeBapiabak.exeChjaol32.exeCndikf32.exeCabfga32.exeCdabcm32.exeCjkjpgfi.exeCeqnmpfo.exeCjmgfgdf.exeCnicfe32.exeCagobalc.exeCeckcp32.exeChagok32.exeCfdhkhjj.exeCjpckf32.exeCnkplejl.exeCajlhqjp.exeCeehho32.exeCdhhdlid.exeCffdpghg.exeCjbpaf32.exeCmqmma32.exeCalhnpgn.exeCegdnopg.exeDdjejl32.exeDhfajjoj.exeDfiafg32.exeDjdmffnn.exeDopigd32.exeDmcibama.exeDanecp32.exeDejacond.exeDdmaok32.exeDhhnpjmh.exeDfknkg32.exeDjgjlelk.exeDobfld32.exeDaqbip32.exeDelnin32.exeDdonekbl.exeDhkjej32.exeDfnjafap.exeDkifae32.exeDodbbdbb.exeDmgbnq32.exeDaconoae.exeDeokon32.exeDdakjkqi.exeDfpgffpm.exeDkkcge32.exeDogogcpo.exeDmjocp32.exeDaekdooc.exeDeagdn32.exeDddhpjof.exeDhocqigp.exeDknpmdfc.exeDoilmc32.exepid process 2536 Bmbplc32.exe 316 Beihma32.exe 1540 Bhhdil32.exe 2128 Bjfaeh32.exe 2156 Bapiabak.exe 1708 Chjaol32.exe 4752 Cndikf32.exe 1832 Cabfga32.exe 3460 Cdabcm32.exe 4024 Cjkjpgfi.exe 4356 Ceqnmpfo.exe 4380 Cjmgfgdf.exe 2612 Cnicfe32.exe 4588 Cagobalc.exe 3712 Ceckcp32.exe 1420 Chagok32.exe 1100 Cfdhkhjj.exe 4028 Cjpckf32.exe 408 Cnkplejl.exe 636 Cajlhqjp.exe 2760 Ceehho32.exe 4856 Cdhhdlid.exe 3892 Cffdpghg.exe 3908 Cjbpaf32.exe 2532 Cmqmma32.exe 2928 Calhnpgn.exe 4764 Cegdnopg.exe 4432 Ddjejl32.exe 3604 Dhfajjoj.exe 1912 Dfiafg32.exe 2972 Djdmffnn.exe 2476 Dopigd32.exe 2408 Dmcibama.exe 1896 Danecp32.exe 5060 Dejacond.exe 2560 Ddmaok32.exe 956 Dhhnpjmh.exe 2888 Dfknkg32.exe 5052 Djgjlelk.exe 3388 Dobfld32.exe 1524 Daqbip32.exe 3160 Delnin32.exe 1376 Ddonekbl.exe 4580 Dhkjej32.exe 1824 Dfnjafap.exe 1456 Dkifae32.exe 4932 Dodbbdbb.exe 3040 Dmgbnq32.exe 3828 Daconoae.exe 4120 Deokon32.exe 1096 Ddakjkqi.exe 1948 Dfpgffpm.exe 3660 Dkkcge32.exe 712 Dogogcpo.exe 1660 Dmjocp32.exe 5096 Daekdooc.exe 3004 Deagdn32.exe 2584 Dddhpjof.exe 2284 Dhocqigp.exe 1936 Dknpmdfc.exe 4252 Doilmc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Daekdooc.exeDeagdn32.exeDknpmdfc.exeBeihma32.exeCndikf32.exeDjdmffnn.exeDfnjafap.exeCjpckf32.exeCnkplejl.exeCjbpaf32.exeCalhnpgn.exeChjaol32.exeCabfga32.exeCjkjpgfi.exeChagok32.exeDanecp32.exeDejacond.exeCdabcm32.exeCeqnmpfo.exeBjfaeh32.exeCffdpghg.exeCegdnopg.exeDmjocp32.exeDelnin32.exeDddhpjof.exeCajlhqjp.exeCeehho32.exeDhfajjoj.exeDdonekbl.exeDfpgffpm.exeDjgjlelk.exeDaqbip32.exeDfknkg32.exeBmbplc32.exeBhhdil32.exeCmqmma32.exeDdjejl32.exeDaconoae.exeDdmaok32.exeDkkcge32.exeDhocqigp.exeCagobalc.exeDmcibama.exeCjmgfgdf.exedescription ioc process File created C:\Windows\SysWOW64\Deagdn32.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Deagdn32.exe File created C:\Windows\SysWOW64\Amjknl32.dll Deagdn32.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File opened for modification C:\Windows\SysWOW64\Cabfga32.exe Cndikf32.exe File created C:\Windows\SysWOW64\Dopigd32.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe Cnkplejl.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Chjaol32.exe File created C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Chagok32.exe File created C:\Windows\SysWOW64\Dejacond.exe Danecp32.exe File created C:\Windows\SysWOW64\Jjjald32.dll Dejacond.exe File created C:\Windows\SysWOW64\Pdheac32.dll Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Cjmgfgdf.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Beihma32.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Omocan32.dll Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Ddmaok32.exe Dejacond.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Delnin32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe Ceehho32.exe File created C:\Windows\SysWOW64\Kkmjgool.dll Dhfajjoj.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Maickled.dll Ceqnmpfo.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Djdmffnn.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Delnin32.exe Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Dkifae32.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Beihma32.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bhhdil32.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Eokchkmi.dll Ddjejl32.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cjkjpgfi.exe File created C:\Windows\SysWOW64\Ghilmi32.dll Chagok32.exe File created C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File created C:\Windows\SysWOW64\Doilmc32.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dkkcge32.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Diphbb32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cagobalc.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Dopigd32.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dmcibama.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cjmgfgdf.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Calhnpgn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 4144 4760 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bjfaeh32.exeBapiabak.exeCfdhkhjj.exeCajlhqjp.exeCffdpghg.exeDhocqigp.exeDmllipeg.exeCegdnopg.exeDaconoae.exeDddhpjof.exeDfpgffpm.exeDaekdooc.exeCeckcp32.exeCdhhdlid.exeCalhnpgn.exeDhkjej32.exeBmbplc32.exeCabfga32.exeCdabcm32.exeDdakjkqi.exeCndikf32.exeDdonekbl.exeDeokon32.exeDmjocp32.exebe0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exeDopigd32.exeCjkjpgfi.exeCeqnmpfo.exeDfiafg32.exeDogogcpo.exeDobfld32.exeDfnjafap.exeDkifae32.exeChjaol32.exeCagobalc.exeChagok32.exeDdjejl32.exeDhhnpjmh.exeDmgbnq32.exeBeihma32.exeCnicfe32.exeCjpckf32.exeCeehho32.exeDhfajjoj.exeDaqbip32.exeDeagdn32.exeDknpmdfc.exeDdmaok32.exeDjgjlelk.exeDkkcge32.exeDanecp32.exeDfknkg32.exeDoilmc32.exeCjmgfgdf.exeCmqmma32.exeBhhdil32.exeDjdmffnn.exeDelnin32.exeDodbbdbb.exeCnkplejl.exeCjbpaf32.exeDmcibama.exeDejacond.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapiabak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe -
Modifies registry class 64 IoCs
Processes:
Dfknkg32.exeDfnjafap.exeDeokon32.exeDfpgffpm.exeCajlhqjp.exeBjfaeh32.exeCjkjpgfi.exeCffdpghg.exeCalhnpgn.exeDfiafg32.exeDopigd32.exeBhhdil32.exeDknpmdfc.exeDoilmc32.exeDhkjej32.exeDaqbip32.exeDmcibama.exeCeehho32.exeCdhhdlid.exeDobfld32.exeDkkcge32.exeCdabcm32.exeDdjejl32.exeDjgjlelk.exeDelnin32.exeBmbplc32.exeCagobalc.exeCjpckf32.exeCjbpaf32.exeDodbbdbb.exeDmgbnq32.exeCeqnmpfo.exeCndikf32.exeCfdhkhjj.exeDdakjkqi.exeDaekdooc.exeDhocqigp.exebe0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exeDeagdn32.exeDdmaok32.exeDhhnpjmh.exeChagok32.exeDhfajjoj.exeCegdnopg.exeDjdmffnn.exeDaconoae.exeBapiabak.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Cagobalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chagok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" Djdmffnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" Bapiabak.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exeBmbplc32.exeBeihma32.exeBhhdil32.exeBjfaeh32.exeBapiabak.exeChjaol32.exeCndikf32.exeCabfga32.exeCdabcm32.exeCjkjpgfi.exeCeqnmpfo.exeCjmgfgdf.exeCnicfe32.exeCagobalc.exeCeckcp32.exeChagok32.exeCfdhkhjj.exeCjpckf32.exeCnkplejl.exeCajlhqjp.exeCeehho32.exedescription pid process target process PID 1984 wrote to memory of 2536 1984 be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Bmbplc32.exe PID 1984 wrote to memory of 2536 1984 be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Bmbplc32.exe PID 1984 wrote to memory of 2536 1984 be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe Bmbplc32.exe PID 2536 wrote to memory of 316 2536 Bmbplc32.exe Beihma32.exe PID 2536 wrote to memory of 316 2536 Bmbplc32.exe Beihma32.exe PID 2536 wrote to memory of 316 2536 Bmbplc32.exe Beihma32.exe PID 316 wrote to memory of 1540 316 Beihma32.exe Bhhdil32.exe PID 316 wrote to memory of 1540 316 Beihma32.exe Bhhdil32.exe PID 316 wrote to memory of 1540 316 Beihma32.exe Bhhdil32.exe PID 1540 wrote to memory of 2128 1540 Bhhdil32.exe Bjfaeh32.exe PID 1540 wrote to memory of 2128 1540 Bhhdil32.exe Bjfaeh32.exe PID 1540 wrote to memory of 2128 1540 Bhhdil32.exe Bjfaeh32.exe PID 2128 wrote to memory of 2156 2128 Bjfaeh32.exe Bapiabak.exe PID 2128 wrote to memory of 2156 2128 Bjfaeh32.exe Bapiabak.exe PID 2128 wrote to memory of 2156 2128 Bjfaeh32.exe Bapiabak.exe PID 2156 wrote to memory of 1708 2156 Bapiabak.exe Chjaol32.exe PID 2156 wrote to memory of 1708 2156 Bapiabak.exe Chjaol32.exe PID 2156 wrote to memory of 1708 2156 Bapiabak.exe Chjaol32.exe PID 1708 wrote to memory of 4752 1708 Chjaol32.exe Cndikf32.exe PID 1708 wrote to memory of 4752 1708 Chjaol32.exe Cndikf32.exe PID 1708 wrote to memory of 4752 1708 Chjaol32.exe Cndikf32.exe PID 4752 wrote to memory of 1832 4752 Cndikf32.exe Cabfga32.exe PID 4752 wrote to memory of 1832 4752 Cndikf32.exe Cabfga32.exe PID 4752 wrote to memory of 1832 4752 Cndikf32.exe Cabfga32.exe PID 1832 wrote to memory of 3460 1832 Cabfga32.exe Cdabcm32.exe PID 1832 wrote to memory of 3460 1832 Cabfga32.exe Cdabcm32.exe PID 1832 wrote to memory of 3460 1832 Cabfga32.exe Cdabcm32.exe PID 3460 wrote to memory of 4024 3460 Cdabcm32.exe Cjkjpgfi.exe PID 3460 wrote to memory of 4024 3460 Cdabcm32.exe Cjkjpgfi.exe PID 3460 wrote to memory of 4024 3460 Cdabcm32.exe Cjkjpgfi.exe PID 4024 wrote to memory of 4356 4024 Cjkjpgfi.exe Ceqnmpfo.exe PID 4024 wrote to memory of 4356 4024 Cjkjpgfi.exe Ceqnmpfo.exe PID 4024 wrote to memory of 4356 4024 Cjkjpgfi.exe Ceqnmpfo.exe PID 4356 wrote to memory of 4380 4356 Ceqnmpfo.exe Cjmgfgdf.exe PID 4356 wrote to memory of 4380 4356 Ceqnmpfo.exe Cjmgfgdf.exe PID 4356 wrote to memory of 4380 4356 Ceqnmpfo.exe Cjmgfgdf.exe PID 4380 wrote to memory of 2612 4380 Cjmgfgdf.exe Cnicfe32.exe PID 4380 wrote to memory of 2612 4380 Cjmgfgdf.exe Cnicfe32.exe PID 4380 wrote to memory of 2612 4380 Cjmgfgdf.exe Cnicfe32.exe PID 2612 wrote to memory of 4588 2612 Cnicfe32.exe Cagobalc.exe PID 2612 wrote to memory of 4588 2612 Cnicfe32.exe Cagobalc.exe PID 2612 wrote to memory of 4588 2612 Cnicfe32.exe Cagobalc.exe PID 4588 wrote to memory of 3712 4588 Cagobalc.exe Ceckcp32.exe PID 4588 wrote to memory of 3712 4588 Cagobalc.exe Ceckcp32.exe PID 4588 wrote to memory of 3712 4588 Cagobalc.exe Ceckcp32.exe PID 3712 wrote to memory of 1420 3712 Ceckcp32.exe Chagok32.exe PID 3712 wrote to memory of 1420 3712 Ceckcp32.exe Chagok32.exe PID 3712 wrote to memory of 1420 3712 Ceckcp32.exe Chagok32.exe PID 1420 wrote to memory of 1100 1420 Chagok32.exe Cfdhkhjj.exe PID 1420 wrote to memory of 1100 1420 Chagok32.exe Cfdhkhjj.exe PID 1420 wrote to memory of 1100 1420 Chagok32.exe Cfdhkhjj.exe PID 1100 wrote to memory of 4028 1100 Cfdhkhjj.exe Cjpckf32.exe PID 1100 wrote to memory of 4028 1100 Cfdhkhjj.exe Cjpckf32.exe PID 1100 wrote to memory of 4028 1100 Cfdhkhjj.exe Cjpckf32.exe PID 4028 wrote to memory of 408 4028 Cjpckf32.exe Cnkplejl.exe PID 4028 wrote to memory of 408 4028 Cjpckf32.exe Cnkplejl.exe PID 4028 wrote to memory of 408 4028 Cjpckf32.exe Cnkplejl.exe PID 408 wrote to memory of 636 408 Cnkplejl.exe Cajlhqjp.exe PID 408 wrote to memory of 636 408 Cnkplejl.exe Cajlhqjp.exe PID 408 wrote to memory of 636 408 Cnkplejl.exe Cajlhqjp.exe PID 636 wrote to memory of 2760 636 Cajlhqjp.exe Ceehho32.exe PID 636 wrote to memory of 2760 636 Cajlhqjp.exe Ceehho32.exe PID 636 wrote to memory of 2760 636 Cajlhqjp.exe Ceehho32.exe PID 2760 wrote to memory of 4856 2760 Ceehho32.exe Cdhhdlid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"C:\Users\Admin\AppData\Local\Temp\be0cb18eb0036939c68276fadb922a211a327a27ca87ed9febfe5db455e83808N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe63⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 39664⤵
- Program crash
PID:4144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4760 -ip 47601⤵PID:4336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56d4a5aef20f9701120e887fbf64ef14d
SHA1062e312e95d429d3497ec4fee62fe44986ea83ec
SHA256bfe2f2bb7e4c507803d9d2244baebabe1a04d96a33d3fd0526680c40fe999b5b
SHA51256be743cb8b609a88d78ab625f3bd90a530b695d208f722e8dc83409ea4f006bd2b1f8bc851541de64e3a42e6eb80be54e21b2ff2ce6fbd417e2d3b1b5d306e3
-
Filesize
92KB
MD5b60aa944d358d333422e1c88d65fe9b9
SHA18f5fb389c97fb67bab5b5a1269ff4252d92f94cf
SHA25686b612ee0e9fb953133205268272a77ee3a1328b3af530cfb4c8b784dcedbb79
SHA512296fd4dc9c9b74378c7eec14232ee5c3a2a2c2f8428f5fd8e1eeb8bd46cee3a4eec51a30662638784a5024b6ea47f38fb0354ec544cda1543e9726fc3f701809
-
Filesize
92KB
MD5407cceaf4efda3fb6f97efa1537eedb3
SHA1cea371b1014ec40c630ea6eda27827d1666b8ba0
SHA2561fb3b47565f679fcf73437879cd7f876de3db9060b4b5853769fb0c7289a19cb
SHA5124b8bd1e31e9b39836e61e49e21b40097e406bcb87a6db9cb7d2e15de397a89f0007c48d9c1467412d211f62e78bfe301b380a931a117364211a9159e9a4a0ea7
-
Filesize
92KB
MD598246540ecb13b4de34393ec79b97dc7
SHA1a1dc840d6680db1e092ff708506711f3f606d10d
SHA2564c916fbf11b7b54c805daba55b12fe3823bbefe2ffb754c313df479120bde520
SHA51261ef4e1abc35ca413faa9eb0b50e57d04306c0da828827fe24906af61f446daa10841df1e8be8c4e86fccd934a21e803e19cc2d41571fd96f7480db09e38a1f6
-
Filesize
92KB
MD5976905142b45073a08a9be8bb0fa27b5
SHA19ee0b4bff01230d0689745c81c3b103e0f049bf5
SHA256cfe3ae96cd82a4d4c4b946004f96cf82c7e34f507d809bba82773acd605f84b6
SHA5120f49c29b462c074e45bb7da53bd79024fc27eeb81abb4efd3ef938f1a27e1fbd5d4a6695f5485f47a63668df2eaff941e6d8b8076c414bde2ad66b6270bf88f1
-
Filesize
92KB
MD5d801f6f03353468465956ee130e89677
SHA1066a590299b1a2c03a81ff98e599f8856eecadf9
SHA2569d35bd7c0652c490a8bf5e0040d3b585c6f9afcffa37da4588dc79b62201f20e
SHA512490de750600bb9de858ddb7b3f1eb1cbf2c7fe044d173cee7ffd6bf43ac982cb31bc613d0c8dd7f1ce79b2f61a4e79c79d6663f6aff7d6b0471963ffea689e85
-
Filesize
92KB
MD51557ad72b36d3223d9b30a776d9302db
SHA1285aabce9194f426d0dfd36432b331f85dbcb8e3
SHA256cafa1e92e374de920fd2739e831d3aab36d7c32ff66951d15890a2cae064e3b5
SHA512a995e82a6ba649146858c1be6ba0046911c7ddd96ec6795482a331d0218904caff17b10c110a6e6aa9235e5e9ac23b550cd3f9810a86c1c39407e14b36ceeb9f
-
Filesize
92KB
MD50b378d0cd659a2d8da4e7e71af38e287
SHA1e68afaa96a2ab59e220776011238382747a07e99
SHA2569a4ea48ce30c8e80f04429e486b5787a61e9ff8ac652a00ffe38904df33ade17
SHA512f0072af0245b6f47ea6a22921def97c2200f664ba3fd8401f2983ee96323e191c421caa1292fe32773aa00e9e16aef1c9d4d4815a738aa797d5f29ef22ea54c9
-
Filesize
92KB
MD523667cd4d9e45fca37c5448a093a9620
SHA18c5f9c6c2c1de66d1d22050aa1afedb276df89d9
SHA2569546bb931fc6a48de795f298239291f467b2745aee4977f0beb39725bdbad68c
SHA512c398adbf441d4fd330391216e9243d1cbedf1d9d5ea0aab4cdecd5aaa96cde1f5fe68f5b630816ffdf020154b87abc47174ffd908ce8ccca45137518510380b0
-
Filesize
92KB
MD5521e37581449ddbf68972c9daaade00b
SHA1552ec584f17e7ef90396b89afe507504a1d213fa
SHA25650397d5eb16958be38122d2a99fd0622c7352834ca79f70d26eb4c6e684abad7
SHA51225ae2a20621285be3d647cd21bfd330a61daa05cd8545ef844309d99bd35d5bb9ee44c398b34b24fe8b5e85cb08c678c4ac49585937a06fd82651a6ad98b898d
-
Filesize
92KB
MD5013a40b077bf5aa15e6e4fdfb8149cb2
SHA1a448bb3d76b99eeb80c2918c1bcd195d40721a55
SHA256fa4348723662b5f0881b61c389717b850a707f3e2b35a0281c90cdcdf591c9aa
SHA512b0efa2f30644f54a980c3c840d0f75980373d92e7d823022f40b4496d32e99c55d7b4600097243167aac9bf2a25354578169bbefae5293265c6e54189b7d74a6
-
Filesize
92KB
MD54a10c76c0821122705d8c1d98e887275
SHA1230448344316e23bbf0890dc06f5c02642ea0de0
SHA2565dd008cc9096ed36722d5b55a8546845998a265d7f3d291bfcfb9bf1c89fa878
SHA51299400a5b454a57d1c0473413b290b70824df94e08fe3ee6f26c9db94827d4a188acefc73554264894c5deaa99575e63b6a81e71b5d0f79814644f3d38bcced48
-
Filesize
92KB
MD51195831b7bb883c05b7ebf4c0e641345
SHA1f97515d5d0f04e7f6852a2ce287168b5d290475b
SHA256dc0470f9ef3413e51f2f80fa6ce626398e30883bd04c4ba86fc87a7a0d798187
SHA5126321169cbacf17cbc5b5e795fa0f7b4283e4fa89602bf799a9a4449ca199783c9faa60550b6540a55244fa0d905e4c463e72dece88e30b9be0a66e5b3f948e2a
-
Filesize
92KB
MD517c475eb0a2f041a5ca91bd379d2a18b
SHA12ced81fb43122a26f97eda69f25ad7b7fb238eb9
SHA25603e2417ccdf547d0a0efecfd1de256849db5b40544c1b1b62599ab18701f7615
SHA512ad536a1f87f17c4a5771d55125fbea0eb731dd9816c6d7816f3aca5641bb42b45b8300e296e7e41e898a979c6dc0e74bffc060c7076c29a41d946adc569fc1ca
-
Filesize
92KB
MD52553a140aa0c2ad4cdfe71ca3f67fbc8
SHA1048190733e892d5353e55a038d28a3f32e5b645d
SHA256e0300972ec4291a638d6f9fae68a48336e0d1862bf78f84c8d2ed69e77b55e61
SHA5126c5e12210000ad416bf3a70d6568a82994c764ba7cfb240d9d1d532120f1dbfba352536db0d4d991d7c0899f40837d951f2acf653ee66796e6d5d71bd285fcc7
-
Filesize
92KB
MD56e5c5e88966c1080ee5ae836625c6d0f
SHA185f4234c24c29f4be96c9479960fdea68f3625bd
SHA256f85ef654c96fb430d0a12a7b463eb9fd5df0767d1ade5cfc185d9c7f93077ffc
SHA5128f53ef859f7339cae4016fb51140ea96bba9ace16f5a1762f77af094ab3d826a91bf14d3b4b6a59192b41e6525cb3a1932c0e4388de1295b341290817292ac27
-
Filesize
92KB
MD546f4d9c968cf52b93d06a96313d4c4ab
SHA1edf2da3e4c9caef8795803538a10c04ac2e6678f
SHA256f446e78ca79c456efee5d5a910985819019ffed1a5ed276ec184a8adb2d434c8
SHA5122f6c074eb9f6d763f21e40208925f0f047501c13838ae06187cdd040cf90296b18e959fcad61eeb0fb58dbe9567e31fe59bf30e07b5736db7281d06bc5d54042
-
Filesize
92KB
MD593b610ff7224af413a2b595406d90409
SHA11df8b2051debda096c689fba366e446649af3412
SHA2564f3d5425c040e6c5f7b5db81bb84162a8602a1bd0b68ec4b7848aee82c341acb
SHA512a7a247e86e081d918c7d8cae881ef1a7df97594e1fdfa5a4fadd2d7282df0f409bf1be03b14ec24a38c2c92c204fc74dc31a1606e31017d9f58a8f8a57d4b0fb
-
Filesize
92KB
MD5633295bbaba0f6cfab58c8e610fcf70d
SHA14034240053feef7c725078aa39979f345e0ea477
SHA256d18adfbcaad0fb29f549797d689972fbdf99b966967f62b58d06cfd5876c8878
SHA51217331a8afcec550f14832417104ae00d61453be9405f52a3ba51001993723ad578e658ce02324d855685a0949b73f211425a29b6a4d468bdd08cee873eee47da
-
Filesize
92KB
MD5815b1c12a0b476ecc64bcd27c273d9ea
SHA1f7ee5d5a83f65493f8c85f78dd459f8e0d999ac2
SHA25646e75083438e667a7feb8d57f7c40a9f289c5d001163339f17eaea839d23d0a4
SHA512fcb57fad4fbe91810aa777c31b6b673ea98e95005547c8dc357d2ed4ccaa3c94b9ac79c67feb6ef42633ff4b1d1919cb4b0cfe063373efb85f0ea74cd53df0e2
-
Filesize
92KB
MD523da000180e7885c9e3827749cdf5d22
SHA12c59b845fed35120e8c29877c20216d2a6cb2508
SHA256ed8fabbf5ebebd0df58ab8e24e505c6ab46965055b9f5bb4e78bd6553cf19300
SHA5121dc5648f9b91ed5c5afa25cb5be2a5f6a7ce641c0f44383b74a2bae049f08676aebaccb310c91370a0ac11d7d6278552128196b58ba2b618a4efc5728f4e2f7a
-
Filesize
92KB
MD5cd6bbe22852ed2c890a39d9d67d2a816
SHA1f4aa4357d49f33aa0bc1f7a75c9fd96b20fa3a1b
SHA25684638c59bc9b9273bdbdd21f82a84c839a1bafda22b498d0f8d8f979f5c7ee97
SHA51232e9b0dda3ca9211628b28c52a042a30880003a8c46445833486ccaf83b00a43f360846fcb047d832e50dbf59e9ca0fa1364f4f41990aec27569be488c5409ad
-
Filesize
92KB
MD539e12d447f22212764566d626bf60baa
SHA16c3917ad02454b1e1b23676af0f5edd6e80f4fd9
SHA2567986ce906f9ab6c14b7411a088d4b7cb3672105a3b025dfac8c36748aec9f66e
SHA512570b3f271a174e04ce1725b19700c1ba978df4e207703473b795c224e96c083f0129bbcb63a68fe9f2bb515aa370e60a9dbfcbcb3e555630b9e7e55e0c74bbde
-
Filesize
92KB
MD5a6977ea5a4adf76b4154cf879f237b1e
SHA1d82de23c3a8c3b91ee7d2ac885d5dc1a4f514571
SHA256ec2fb1616c766dea426c77d75074ee32f13bf6c524bbdbd9db5cbd5d3c7d9abd
SHA512fec7d3647b71abd90c2f8fb0b91240f54e2f06f095ff537f6666fc46bb84b6e86efd6e0888e24fa5fccec1443ee7a8904036d8c2795c5297904ffdb00028b19d
-
Filesize
92KB
MD5164e575e2d15e3539c85bec7d4bf71f5
SHA1e87e92c5411f5086d1f24474738e3b962a7974af
SHA256b1045b879dc4de0b8dc6776185ecf65981ba0bf1c05b033c11f8bc1e05a6c06a
SHA5127b1a7363bfbe97a451c964b1d01e315e16b58945e0006f093942443240edab455260a27c36f5be8492f649037b7930a9744bfe724f95d09ffb8b4f8766a2106b
-
Filesize
92KB
MD502a441ef861c539a8df630db114a0abc
SHA1cc6bca0885b4cb869613ab59b3bf807addb7e9c4
SHA2560e2b3a01fb38ac2de400e10b39b7105fe9902937147b5512e703368d056d0911
SHA512c34026a66b3d82d72b0405debbf7c01979d9ef57ee556c4c99756e6603f676707dac1af8c9a8ec9e7d345b278f8ddd3a7959ba5a8873210b4bca21dbc950a3fd
-
Filesize
92KB
MD5e387882045eee6c86a5c50ed79a4fdde
SHA149c40de6fa0e347cebc09298899fb0aabb4e1d94
SHA256c2f9ceed51f16527ae94a8ea2b558628c90e4374f010c8970ea5648c1380f27e
SHA512b8bd3fb4c6308c5a43afc3ec0c81a468d4763b25d3f0ca738f3ce764619dddfad90b3f5cd3f1d76dd72991a90a941827367e61f93e848b33be7d813d8cf79dfa
-
Filesize
92KB
MD51e2b7d1504125746bea041bb62982e77
SHA13f15ec19ef7d92bc3981f116ce38f0505942c21f
SHA256d01536c01923d97f18f494f00998ba3c31d9e974107526589f57418e73a1dbe7
SHA5128fc0f8a2184c3f17e1b9d8fe4b992885f0cf0f7df4d5c00938b4ee49ef36feb0a3e037693dfc82929c59f8c08bb3e883db1d5e93c6ad8c5f1531645aa25e98a0
-
Filesize
92KB
MD5e5b0d2dd28eff3ec2e74dddbcd75610d
SHA1d398fc0f5b098ba7be309d4c8c54525b28609dd4
SHA256c14ee219a35ee436e6a000af8677d34304a28dce44f0198b050610f3ea5e4b72
SHA5128f0c490150555927149ba3fae5caef292f6e071cf4699224da5f06ba7f8021dd571dc64732f72e8805842385be3a66db59a8aea41fa16356d2645620658f1596
-
Filesize
92KB
MD549b1071c6c4ba63a5ad82d4b756b3aaa
SHA1b1b2f46ff6d6d00161f072ffa8eaaab1f09afbcb
SHA25685a1570689487de87507a7d159052a6a2329f05f89655124f955660fb55d3293
SHA5129671fdd4203e8173391c6541bd200f43df2a368ef1fd3f7b5b381bcacf73c81007a0568eee6671b1ec1e146e6010b87d554cdc2bafc978a9f3714a38a261706d
-
Filesize
92KB
MD58033ad7aef16c6aa4cf459ab6bb61019
SHA1fd8aeee839fafece23990b28a5113cd5f12d4555
SHA256e8506c5225fd6cfff2bc85618586d807bad02bc068e46d19469a1e6df33f8596
SHA5125fc740748d45c6f7891a1b7fd4c690255107a898ea3c3d2b8c2705081921b9aecc980c41e053ccdbaf13262bbfa73c4f2a623c517956ff9c084d1d178305f4be
-
Filesize
92KB
MD58f2020adfb2b924ab4add14dc6fc3286
SHA1aa8550f2a33777ad675c72c176554781bca9b641
SHA2567c7db047f1a046629fc33fcecaec209eecf84710e9112f7de3117efd123ab02c
SHA5127883c17f2514fa39f9b9c784d2631d69d6b247ed12fd9b831171ec8329b2d70a3ca6c8df406e045f7d140d26fa676a19ac8d2c6ffbe59576913493f1c9c65d23