Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe
Resource
win10v2004-20241007-en
General
-
Target
9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe
-
Size
91KB
-
MD5
876847c0983a9c96ea228278cfbc63f8
-
SHA1
374db4a5623a69af0b5093ae4a25f23f8be9c0b2
-
SHA256
9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12
-
SHA512
e2a8075b61943e2e90c29cf647c0526ee22b53e72c57e7492678f7afa95de6136d82a011adb207c0bb2d68d0950afc794a09c5206ce329467cd91b060261b60c
-
SSDEEP
1536:MGSKn+s/TMPLeESaWirVROw9e9FalLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaadhC:HSKMzeHaWEEFalLBsLnVUUHyNwtN4/nG
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ehgppi32.exeEgllae32.exeCdlgpgef.exeDfmdho32.exeDlnbeh32.exeDggcffhg.exeDdigjkid.exeEgjpkffe.exeEmieil32.exeEfcfga32.exeFjaonpnn.exeDpbheh32.exeDojald32.exeCghggc32.exeCjfccn32.exeCppkph32.exeDkcofe32.exeEnakbp32.exeEmkaol32.exe9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exeCgejac32.exeDliijipn.exeDbfabp32.exeDnoomqbg.exeDndlim32.exeDogefd32.exeDhbfdjdp.exeEgafleqm.exeEbodiofk.exeDfoqmo32.exeEnfenplo.exeEccmffjf.exeEqijej32.exeDcadac32.exeDhpiojfb.exeCpnojioo.exeEplkpgnh.exeEfaibbij.exeDcenlceh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emieil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoomqbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccmffjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dliijipn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccmffjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcenlceh.exe -
Berbew family
-
Executes dropped EXE 43 IoCs
Processes:
Cdgneh32.exeCgejac32.exeCpnojioo.exeCghggc32.exeCjfccn32.exeCppkph32.exeCdlgpgef.exeDfmdho32.exeDndlim32.exeDpbheh32.exeDcadac32.exeDfoqmo32.exeDliijipn.exeDogefd32.exeDbfabp32.exeDhpiojfb.exeDojald32.exeDcenlceh.exeDfdjhndl.exeDhbfdjdp.exeDlnbeh32.exeDnoomqbg.exeDdigjkid.exeDggcffhg.exeDkcofe32.exeEnakbp32.exeEdkcojga.exeEhgppi32.exeEgjpkffe.exeEbodiofk.exeEgllae32.exeEnfenplo.exeEmieil32.exeEccmffjf.exeEfaibbij.exeEmkaol32.exeEgafleqm.exeEfcfga32.exeEqijej32.exeEplkpgnh.exeEchfaf32.exeFjaonpnn.exeFkckeh32.exepid process 2552 Cdgneh32.exe 2728 Cgejac32.exe 2656 Cpnojioo.exe 2912 Cghggc32.exe 2452 Cjfccn32.exe 2932 Cppkph32.exe 592 Cdlgpgef.exe 584 Dfmdho32.exe 2924 Dndlim32.exe 1656 Dpbheh32.exe 1232 Dcadac32.exe 1856 Dfoqmo32.exe 1680 Dliijipn.exe 396 Dogefd32.exe 2056 Dbfabp32.exe 1716 Dhpiojfb.exe 1608 Dojald32.exe 1720 Dcenlceh.exe 2876 Dfdjhndl.exe 1168 Dhbfdjdp.exe 704 Dlnbeh32.exe 1288 Dnoomqbg.exe 1188 Ddigjkid.exe 920 Dggcffhg.exe 788 Dkcofe32.exe 2944 Enakbp32.exe 2600 Edkcojga.exe 2684 Ehgppi32.exe 2668 Egjpkffe.exe 2636 Ebodiofk.exe 2460 Egllae32.exe 2356 Enfenplo.exe 536 Emieil32.exe 1408 Eccmffjf.exe 2916 Efaibbij.exe 2952 Emkaol32.exe 2020 Egafleqm.exe 1996 Efcfga32.exe 856 Eqijej32.exe 712 Eplkpgnh.exe 1752 Echfaf32.exe 2284 Fjaonpnn.exe 2852 Fkckeh32.exe -
Loads dropped DLL 64 IoCs
Processes:
9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exeCdgneh32.exeCgejac32.exeCpnojioo.exeCghggc32.exeCjfccn32.exeCppkph32.exeCdlgpgef.exeDfmdho32.exeDndlim32.exeDpbheh32.exeDcadac32.exeDfoqmo32.exeDliijipn.exeDogefd32.exeDbfabp32.exeDhpiojfb.exeDojald32.exeDcenlceh.exeDfdjhndl.exeDhbfdjdp.exeDlnbeh32.exeDnoomqbg.exeDdigjkid.exeDggcffhg.exeDkcofe32.exeEnakbp32.exeEdkcojga.exeEhgppi32.exeEgjpkffe.exeEbodiofk.exeEgllae32.exepid process 2080 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe 2080 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe 2552 Cdgneh32.exe 2552 Cdgneh32.exe 2728 Cgejac32.exe 2728 Cgejac32.exe 2656 Cpnojioo.exe 2656 Cpnojioo.exe 2912 Cghggc32.exe 2912 Cghggc32.exe 2452 Cjfccn32.exe 2452 Cjfccn32.exe 2932 Cppkph32.exe 2932 Cppkph32.exe 592 Cdlgpgef.exe 592 Cdlgpgef.exe 584 Dfmdho32.exe 584 Dfmdho32.exe 2924 Dndlim32.exe 2924 Dndlim32.exe 1656 Dpbheh32.exe 1656 Dpbheh32.exe 1232 Dcadac32.exe 1232 Dcadac32.exe 1856 Dfoqmo32.exe 1856 Dfoqmo32.exe 1680 Dliijipn.exe 1680 Dliijipn.exe 396 Dogefd32.exe 396 Dogefd32.exe 2056 Dbfabp32.exe 2056 Dbfabp32.exe 1716 Dhpiojfb.exe 1716 Dhpiojfb.exe 1608 Dojald32.exe 1608 Dojald32.exe 1720 Dcenlceh.exe 1720 Dcenlceh.exe 2876 Dfdjhndl.exe 2876 Dfdjhndl.exe 1168 Dhbfdjdp.exe 1168 Dhbfdjdp.exe 704 Dlnbeh32.exe 704 Dlnbeh32.exe 1288 Dnoomqbg.exe 1288 Dnoomqbg.exe 1188 Ddigjkid.exe 1188 Ddigjkid.exe 920 Dggcffhg.exe 920 Dggcffhg.exe 788 Dkcofe32.exe 788 Dkcofe32.exe 2944 Enakbp32.exe 2944 Enakbp32.exe 2600 Edkcojga.exe 2600 Edkcojga.exe 2684 Ehgppi32.exe 2684 Ehgppi32.exe 2668 Egjpkffe.exe 2668 Egjpkffe.exe 2636 Ebodiofk.exe 2636 Ebodiofk.exe 2460 Egllae32.exe 2460 Egllae32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cgejac32.exeCdlgpgef.exeDfoqmo32.exeDkcofe32.exeEgjpkffe.exeEmkaol32.exeDnoomqbg.exeEbodiofk.exeEmieil32.exeCghggc32.exeDpbheh32.exeDcadac32.exeEnfenplo.exeCppkph32.exeDlnbeh32.exeEfcfga32.exe9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exeDcenlceh.exeDggcffhg.exeEdkcojga.exeEfaibbij.exeDliijipn.exeDogefd32.exeDbfabp32.exeDhpiojfb.exeEgafleqm.exeDojald32.exeDfmdho32.exeEhgppi32.exeCpnojioo.exeEccmffjf.exeEchfaf32.exeEplkpgnh.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cpnojioo.exe Cgejac32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Cdlgpgef.exe File opened for modification C:\Windows\SysWOW64\Dliijipn.exe Dfoqmo32.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dkcofe32.exe File opened for modification C:\Windows\SysWOW64\Ebodiofk.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Egafleqm.exe Emkaol32.exe File created C:\Windows\SysWOW64\Ddigjkid.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Egllae32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Imehcohk.dll Emieil32.exe File opened for modification C:\Windows\SysWOW64\Cjfccn32.exe Cghggc32.exe File created C:\Windows\SysWOW64\Dcadac32.exe Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Dpbheh32.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Emieil32.exe Enfenplo.exe File created C:\Windows\SysWOW64\Elgkkpon.dll Cgejac32.exe File created C:\Windows\SysWOW64\Cdlgpgef.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Kcbabf32.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Klmkof32.dll Efcfga32.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dkcofe32.exe File created C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File created C:\Windows\SysWOW64\Emkaol32.exe Efaibbij.exe File created C:\Windows\SysWOW64\Pgicjg32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Dliijipn.exe Dfoqmo32.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Dhpiojfb.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Dojald32.exe Dhpiojfb.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Efaibbij.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Egafleqm.exe File created C:\Windows\SysWOW64\Mcfidhng.dll Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Ddigjkid.exe Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Eccmffjf.exe Emieil32.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Cgejac32.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dojald32.exe File opened for modification C:\Windows\SysWOW64\Dndlim32.exe Dfmdho32.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Ehgppi32.exe File opened for modification C:\Windows\SysWOW64\Cghggc32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Eaklqfem.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dojald32.exe File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe Dcenlceh.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Eccmffjf.exe File created C:\Windows\SysWOW64\Lqelfddi.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Emieil32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Fogilika.dll Cdlgpgef.exe File created C:\Windows\SysWOW64\Gjpmgg32.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Eccmffjf.exe File created C:\Windows\SysWOW64\Hoogfn32.dll Echfaf32.exe File created C:\Windows\SysWOW64\Fahgfoih.dll Cghggc32.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Egafleqm.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Echfaf32.exe Eplkpgnh.exe File created C:\Windows\SysWOW64\Cdgneh32.exe 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe File created C:\Windows\SysWOW64\Loinmo32.dll Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Dfmdho32.exe Cdlgpgef.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 696 2852 WerFault.exe Fkckeh32.exe -
System Location Discovery: System Language Discovery 1 TTPs 44 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dfmdho32.exeDhpiojfb.exeDojald32.exeEgllae32.exe9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exeDogefd32.exeDfdjhndl.exeCghggc32.exeCjfccn32.exeCdlgpgef.exeDnoomqbg.exeDkcofe32.exeCdgneh32.exeEgjpkffe.exeEnfenplo.exeDpbheh32.exeDliijipn.exeDhbfdjdp.exeEnakbp32.exeEdkcojga.exeEccmffjf.exeEqijej32.exeCpnojioo.exeDlnbeh32.exeEhgppi32.exeCppkph32.exeDcenlceh.exeEbodiofk.exeEgafleqm.exeEfcfga32.exeEchfaf32.exeFkckeh32.exeCgejac32.exeDndlim32.exeDcadac32.exeDfoqmo32.exeDbfabp32.exeDdigjkid.exeDggcffhg.exeEmieil32.exeEfaibbij.exeEmkaol32.exeEplkpgnh.exeFjaonpnn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpiojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojald32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egllae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdjhndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghggc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfccn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlgpgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoomqbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egjpkffe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfenplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dliijipn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbfdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enakbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkcojga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccmffjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqijej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnojioo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgppi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppkph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcenlceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebodiofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egafleqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efcfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echfaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkckeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgejac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndlim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcadac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoqmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddigjkid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcffhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emieil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efaibbij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplkpgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaonpnn.exe -
Modifies registry class 64 IoCs
Processes:
Eccmffjf.exeCghggc32.exeDndlim32.exeDlnbeh32.exeDdigjkid.exeEqijej32.exeCdgneh32.exeCjfccn32.exeDliijipn.exeDfdjhndl.exeEgllae32.exeDfoqmo32.exeEplkpgnh.exeDcenlceh.exeDbfabp32.exeDhpiojfb.exeDhbfdjdp.exeEgafleqm.exeEnfenplo.exeFjaonpnn.exeCpnojioo.exeDogefd32.exeDojald32.exeDggcffhg.exeEchfaf32.exe9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exeCdlgpgef.exeDkcofe32.exeEhgppi32.exeDpbheh32.exeDcadac32.exeEgjpkffe.exeCppkph32.exeEfaibbij.exeEfcfga32.exeEmkaol32.exeDnoomqbg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll" Eccmffjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll" Egafleqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll" Ehgppi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egjpkffe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll" Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnoomqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exeCdgneh32.exeCgejac32.exeCpnojioo.exeCghggc32.exeCjfccn32.exeCppkph32.exeCdlgpgef.exeDfmdho32.exeDndlim32.exeDpbheh32.exeDcadac32.exeDfoqmo32.exeDliijipn.exeDogefd32.exeDbfabp32.exedescription pid process target process PID 2080 wrote to memory of 2552 2080 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Cdgneh32.exe PID 2080 wrote to memory of 2552 2080 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Cdgneh32.exe PID 2080 wrote to memory of 2552 2080 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Cdgneh32.exe PID 2080 wrote to memory of 2552 2080 9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe Cdgneh32.exe PID 2552 wrote to memory of 2728 2552 Cdgneh32.exe Cgejac32.exe PID 2552 wrote to memory of 2728 2552 Cdgneh32.exe Cgejac32.exe PID 2552 wrote to memory of 2728 2552 Cdgneh32.exe Cgejac32.exe PID 2552 wrote to memory of 2728 2552 Cdgneh32.exe Cgejac32.exe PID 2728 wrote to memory of 2656 2728 Cgejac32.exe Cpnojioo.exe PID 2728 wrote to memory of 2656 2728 Cgejac32.exe Cpnojioo.exe PID 2728 wrote to memory of 2656 2728 Cgejac32.exe Cpnojioo.exe PID 2728 wrote to memory of 2656 2728 Cgejac32.exe Cpnojioo.exe PID 2656 wrote to memory of 2912 2656 Cpnojioo.exe Cghggc32.exe PID 2656 wrote to memory of 2912 2656 Cpnojioo.exe Cghggc32.exe PID 2656 wrote to memory of 2912 2656 Cpnojioo.exe Cghggc32.exe PID 2656 wrote to memory of 2912 2656 Cpnojioo.exe Cghggc32.exe PID 2912 wrote to memory of 2452 2912 Cghggc32.exe Cjfccn32.exe PID 2912 wrote to memory of 2452 2912 Cghggc32.exe Cjfccn32.exe PID 2912 wrote to memory of 2452 2912 Cghggc32.exe Cjfccn32.exe PID 2912 wrote to memory of 2452 2912 Cghggc32.exe Cjfccn32.exe PID 2452 wrote to memory of 2932 2452 Cjfccn32.exe Cppkph32.exe PID 2452 wrote to memory of 2932 2452 Cjfccn32.exe Cppkph32.exe PID 2452 wrote to memory of 2932 2452 Cjfccn32.exe Cppkph32.exe PID 2452 wrote to memory of 2932 2452 Cjfccn32.exe Cppkph32.exe PID 2932 wrote to memory of 592 2932 Cppkph32.exe Cdlgpgef.exe PID 2932 wrote to memory of 592 2932 Cppkph32.exe Cdlgpgef.exe PID 2932 wrote to memory of 592 2932 Cppkph32.exe Cdlgpgef.exe PID 2932 wrote to memory of 592 2932 Cppkph32.exe Cdlgpgef.exe PID 592 wrote to memory of 584 592 Cdlgpgef.exe Dfmdho32.exe PID 592 wrote to memory of 584 592 Cdlgpgef.exe Dfmdho32.exe PID 592 wrote to memory of 584 592 Cdlgpgef.exe Dfmdho32.exe PID 592 wrote to memory of 584 592 Cdlgpgef.exe Dfmdho32.exe PID 584 wrote to memory of 2924 584 Dfmdho32.exe Dndlim32.exe PID 584 wrote to memory of 2924 584 Dfmdho32.exe Dndlim32.exe PID 584 wrote to memory of 2924 584 Dfmdho32.exe Dndlim32.exe PID 584 wrote to memory of 2924 584 Dfmdho32.exe Dndlim32.exe PID 2924 wrote to memory of 1656 2924 Dndlim32.exe Dpbheh32.exe PID 2924 wrote to memory of 1656 2924 Dndlim32.exe Dpbheh32.exe PID 2924 wrote to memory of 1656 2924 Dndlim32.exe Dpbheh32.exe PID 2924 wrote to memory of 1656 2924 Dndlim32.exe Dpbheh32.exe PID 1656 wrote to memory of 1232 1656 Dpbheh32.exe Dcadac32.exe PID 1656 wrote to memory of 1232 1656 Dpbheh32.exe Dcadac32.exe PID 1656 wrote to memory of 1232 1656 Dpbheh32.exe Dcadac32.exe PID 1656 wrote to memory of 1232 1656 Dpbheh32.exe Dcadac32.exe PID 1232 wrote to memory of 1856 1232 Dcadac32.exe Dfoqmo32.exe PID 1232 wrote to memory of 1856 1232 Dcadac32.exe Dfoqmo32.exe PID 1232 wrote to memory of 1856 1232 Dcadac32.exe Dfoqmo32.exe PID 1232 wrote to memory of 1856 1232 Dcadac32.exe Dfoqmo32.exe PID 1856 wrote to memory of 1680 1856 Dfoqmo32.exe Dliijipn.exe PID 1856 wrote to memory of 1680 1856 Dfoqmo32.exe Dliijipn.exe PID 1856 wrote to memory of 1680 1856 Dfoqmo32.exe Dliijipn.exe PID 1856 wrote to memory of 1680 1856 Dfoqmo32.exe Dliijipn.exe PID 1680 wrote to memory of 396 1680 Dliijipn.exe Dogefd32.exe PID 1680 wrote to memory of 396 1680 Dliijipn.exe Dogefd32.exe PID 1680 wrote to memory of 396 1680 Dliijipn.exe Dogefd32.exe PID 1680 wrote to memory of 396 1680 Dliijipn.exe Dogefd32.exe PID 396 wrote to memory of 2056 396 Dogefd32.exe Dbfabp32.exe PID 396 wrote to memory of 2056 396 Dogefd32.exe Dbfabp32.exe PID 396 wrote to memory of 2056 396 Dogefd32.exe Dbfabp32.exe PID 396 wrote to memory of 2056 396 Dogefd32.exe Dbfabp32.exe PID 2056 wrote to memory of 1716 2056 Dbfabp32.exe Dhpiojfb.exe PID 2056 wrote to memory of 1716 2056 Dbfabp32.exe Dhpiojfb.exe PID 2056 wrote to memory of 1716 2056 Dbfabp32.exe Dhpiojfb.exe PID 2056 wrote to memory of 1716 2056 Dbfabp32.exe Dhpiojfb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe"C:\Users\Admin\AppData\Local\Temp\9e63d4d493c2789f1dd7f523cc27436b15c0799a6629e15c82b0572ae2088e12.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Fkckeh32.exeC:\Windows\system32\Fkckeh32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 14045⤵
- Program crash
PID:696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD58ca7327f33bc1cc8b6507f8102d5fc42
SHA1c720e21bf45c1487900069864f91243674af4059
SHA25671c97b347e8cde72d02ea86f28eb87ff0b245f0e576b6e52a13a17293abf94dc
SHA5122d3b7aba10277b51ca2332759224c41c137379c577269e0fea86d67fd646a5ef5fb6cc235933b4191530b02edc616722d6c2ce03336aed644a3e38ee77c434af
-
Filesize
91KB
MD59038d670a71d0aa8059b5b0d8f1a2802
SHA141a1b89b93ac499bc481a1958abe4fbb6ed5880e
SHA256abc86449893ea104688705744696137632d3670b49dbc3521e0c7870e8d7e9a6
SHA512e22317606b79fb4ea65e9eceb0d32a15a3ac9bd0f3007e9c82af97caffae9c1f0a30a27c54dc0e6e0982a4cc53497ed0d01d22477f01a34f7afda59d4cf54481
-
Filesize
91KB
MD50a69037e9b9033b2b9f9474f62340fe4
SHA12d35b25a31cffe8603dbb8b1541f5e6a39854106
SHA256b28a48acac8af0839873d0d603d3bd1f50d78b1021be2a0940a6e5d92d994452
SHA512a0d57a25516364a7f05de7708b6f8f613b4d849769396d98bdc9ba0e28155d855af64b0b243762e7c430ea2f30ef9e91a28905fbef99870741f6cb16c7dfe983
-
Filesize
91KB
MD570cd1d3ac7b20907aac1715f10d19a5e
SHA147774e15f13adc29c5782a6df7479e2c76189e4f
SHA256d7317f2c1c37f5214c10ff30bf280c76651909c3f86ea67eb1d9f5ca3426ba07
SHA512a8719132a85f3933bc84ffe2e4de2a21360daa6031da705127c976315e7ee655019932af997af727f267151f39bcea816a5d0ec5da2e64ef4d60567f7e8a6452
-
Filesize
91KB
MD59f9b572f7e79ede7736229f0fd483aa4
SHA12771774cf9688e51110556ec685f8c3d968ef7c4
SHA256ca4ecf35cb9dbc10d92f6843658e0be62bded3e8fd9e6b837ad0e8823d5958ef
SHA512d6b25aefd9588b27dae2702b94e62a4a1d1ad6662ab2437d650e5b9f8debc07e16c1b416b8416b411bb2cbe0978963fc17693384b0f19c03570bb780e891511e
-
Filesize
91KB
MD521d9ed0c6f5c5ef055ebc146c15eab8a
SHA168de7c7eac55241c5742b3e37c05f1745a245904
SHA256534280c42b09f1ef1cefaef8fc80d39e598f7648cc7a88e416ef7dd16f6e83f1
SHA5124bc1cd7dbfe81107ae8470014663b017b8dd45b526b8fdae7e13d335dd5cd08c2ffa2dd830bbec9f4515a5b4f486f5519c94967c8190a1cef3c6e0d80262cbda
-
Filesize
91KB
MD5939a19435634d88abe2020eeb995640c
SHA166548fb1a8129bc198c2cda25c562f7ccb85cff2
SHA25612b0609d6b3ea6f937049f1bdeca2b93b3556f3f0410d642fb9df0b73b7fddad
SHA51212d442fbdd8180e086c5381a317b8cb61dbad07cd6aef7691a151839f751b274ce699809d1392de6120cdfe2d3c4798dbce18233008e061c3e3bcf32f1b4b9dc
-
Filesize
91KB
MD5e2198bd097c0f38cab7c4af875a7ca2e
SHA14f691ee5219498e8fc68bb3578d35fe9a243e5fb
SHA2564213940c56a8dbc9302e1cfad0195ff167fe62048f3af54cf8f5da3fe2c8cade
SHA51251d2768182740b2c881ea450f4bc3b2ad5e14108082502e0654e634442c0c19167ad2f1662369647f62053bd25a213b92ffdf65c4b0d1273c5438b69e33cf019
-
Filesize
91KB
MD5557f8081e2695b2ea81eff7e8888042e
SHA1b30fefcec235b70a4b7f92c11edc2d846f986d48
SHA25606617918fe6fce2fbc137ce088553da60b7b94b5d8c823e2f30c3e9bf151d6e4
SHA512600352350b907c015d2c638901833641dd95a7363cf0ca7d9e8c9f6e231dab52615bdcf3adcfd18e2f914f2932f1e22f5ce945a30ce1d4340527e33d5cb1f7f8
-
Filesize
91KB
MD5820a99c27b75dc5eb0a845f04ed6dcab
SHA1ac02e8887237fd0ffecae6fc4fd5eac7094db2c4
SHA256e34561ffc0d3797076745a0fcf196e97bccb2384da5c60b48fcd3021feba92df
SHA512d8f9f9e94ee9d3b4a39dd51812226e4f73777ee88af4ad82d62b92084960ff60913ca33a3790d2ff18d53620d5675313e025840347fce5bcf7fb3bd65824dc0c
-
Filesize
91KB
MD5b99a2865d6e6ae43f0ac6e21d13ab64c
SHA1fabd9e5c73df2bf3557e2acf9285a3f6792b4b9d
SHA2566e205890dfc3bc777898498e05f24fc945646f95e4a1f4a8788e3dec62353e4e
SHA512d27bdcdcad5d14de3240336d7478e0a7b4a4114fe848f6e61bbbc4f3ec38bcd71ab281a501c38c486d1150530b58971a3b5cd9044ed8be183e148fe863e3bc49
-
Filesize
91KB
MD56f657c3c748465c526a5b4eb66db4c6b
SHA1ec0582eb699cf3a61155ba48248d2da8524993cd
SHA256108ac8764b5cefb6c5bdc1ac59d5bd759d9d954f4382d81e06aa22d5a27e5b2c
SHA5123244faac838cbf1bdaedc661ee513035a1ed66b42eff3ad0f8538244bcc35ac33d145109e9abd863a2b9ecbe0bebfb859e5167ce187a5a897f41df05257f4c24
-
Filesize
91KB
MD58bf2fc1d75852d238ec7854bf798a15c
SHA10c96e29673a9e137ac06f49eb8117ed4e356eb03
SHA256524a3fa058c5ca166e6a9a256b5fd29cb4bec4ca8f0cb0d3c5b3a478f8a820ae
SHA512981bde43ef0b74c2b7665f9428a8d46cd85c63dfb5dbf2c8dcfda3271fd2c3c72256fc9baeaf660ac46d600269369a8027a6eacb5ac5b355270aa2c8077ee706
-
Filesize
91KB
MD50126726b4b90f623ad9538444867ca35
SHA1f7a812716a237776e408adf6cc52c7b1956efeb7
SHA256ca14df8fe2c19829533e75bc2af4b2464d43ad56dea0e499819844dc80a062bb
SHA51218ad10db8380b6fbebe9b4dde7e785b07cb31b1bb9b0a5cddebc94af3182025db50fbbe7f3649d411e468c820257706eb85796ecf9af2bd76c7ced2bae8e624e
-
Filesize
91KB
MD5e083a80dcef2bc3284e54f591100c763
SHA196f5e21c13997ca77d488a8d528f4e87a7087996
SHA256657e9ab59ef33785729d9653d69c15f1088249b64a484b221f3733b5af5cc7e1
SHA512301889548b5ead697d6ce5f19c1ba2db07b69934ad752862d1b4457fbc5abdad622d0750fccc65c349f2b6d3dd7e9a4f4436d7b23741d8ff2c3902f1df8b4c8d
-
Filesize
91KB
MD5fa5e168608416f1530c2865bc54085f9
SHA12a03ee23145a22335954697f19bf960d52dbdc66
SHA2566094d67d55e7b04c9b26842c8414413016a39c0f6f1aa88bb58e1257531e17f7
SHA5122d0985436ba93552d439b0fdf2fc203e1a5cbd71e6bc6230b9fb718b3081a9bf0a42796eb08ddf074eb16bc591cdf628e9fbff35e31f3916d105592b9a137608
-
Filesize
91KB
MD5c837b4713f81f945edc6a13a012c7e61
SHA1814f7f42c4fbe98071894888e8dfeba232ce367e
SHA2563168f2f3bf1cb1abf90e125d3373bf1e18f5553588a316e290beb53574ceb533
SHA5123c864425b9394877d3787dd8a5e3b71d00f2da0d583a401e7918a9830eefea86e29d0160d5c042e7b3e85d1a9c555a7f8723aacfd357bb8b6d658bc5f360432b
-
Filesize
91KB
MD594b8fd86510375efd6e1d968525c1f13
SHA1efe47c64424ed309d07b30cc37cc98dccd172efd
SHA256df727da38da32e8da234635bf5d4893cf3a965080111103883117662766518e7
SHA5124247c20668e1f865ac8c2bf60fcc31d59adc1ba748cfe2df889596d84a420df57118466684ce27e227706f6aeff6a2d21e74c0750a6b69151daa373d55957aa8
-
Filesize
91KB
MD53f56e7bec3347e3268e09b1c91c0c150
SHA10521cc41d976ac200d8fe8e9b54836282a7b6e37
SHA256cccbc3afa372918ea7fe20668761847791a4e14b87df9103042bfa6373026090
SHA512d238fa61c3e08e6dd8c280f4e413319f09b3124780792bf52f8631092a5c549236e81fa03d1c903337f8584c5bc0c5ba277ad665bcc10342f57eaae48bca42d6
-
Filesize
91KB
MD5a8a8a6babcb06b90be0f62cf033baafd
SHA1b00e3315e897772247363018767a266ebc2f08fe
SHA256ba15e37c58cf626e1158589ddb58b1d519d37fb6e7f360dd9c5890efbdacf94f
SHA512fc6a0eeb28cf405bafe752fd8d7b95823b622872deb766efaa10c67e419c33d297bff1867a2c2039499c4f7752f6e57a7eedf627b979e1f0b68d69abb46ead22
-
Filesize
91KB
MD57684c3d7f35befdfc527bef1b1028e75
SHA1bce42da97a73d41fedd99871e884c111d4abfe86
SHA2563051c0317b5a0259b02d01ddff3461b833cdc63c03049e176241349d16440747
SHA512f44f687cad83ca635af922989239b270d3ce691109a92550ffd65c6fefff94f0f5fcf95695b54c4bce5087321fd576284b301491eafea40f9bc562c58f30ab0e
-
Filesize
91KB
MD5054eafa5e2bb2a9bca888d5a45d33518
SHA1e40667a3dff8d481a76b9b698cdea3a75ea3588c
SHA256bbdd9bf8884881bab7fe3f970b085382ba1aa7154e2417c38c03cc6f81372b61
SHA512e2d8161d3105caf9cd7f131e0fcd8977a01743ce4eb788908de05bfe4a4fb7294256e5712bcfdaa024e091465eb5f93aceea31a96a887a7fece171af40b32c9d
-
Filesize
91KB
MD5cb7819eb3de54d2bb566490848632ea7
SHA1842b4e1f14e66ec6a08715f5a9e6d34dba6e1b8e
SHA2563bca3dd93729af19f605cce7b82dc7ed3d9433df14bbf76de30ae4e564585eb2
SHA512cde49e31b9dbb086fb85cc89493772e495c1f76c1e2e233c7540c5ee87f115c195e2eddc211fe3730f40fc49e8139a99bfea10ce9d6941d37853f2e39adb9cc5
-
Filesize
91KB
MD5c4a444d141a113e9047230b49e06e088
SHA17e5b8cced46e2457568517daca07178b7e038604
SHA2568cac2b16259973fb259cf6c2c847a04085f980be8c5e944806c76443fb536ca1
SHA512ffc3e275a81da61e7ed3c07cdac95b7437e6e1ad79cbf1b25f06439c0b4a15947c6504f0ffaa47e7e3b77bfb4242990d4987bf4b75cd426a47be1db6ccb63b68
-
Filesize
91KB
MD5c545448ad3afa3257492ce877300b7a9
SHA1c17efcb715497b523c1cf6184c682c8a7f26a867
SHA256d46dc90955958051d0d3c6ee2936b8f125c7106e53de091d3db008a7af1d2367
SHA512df298967fd6d413724888c8c40dfa8d228947d3c619022ba7f038d31b8028c398a2e93f8deb806971a4b1bdf92e789988ef24e6d86f2ecbc21277124814cec6b
-
Filesize
91KB
MD5b5b66cee32d6f87d208821068e6a516a
SHA120c13ff9e56429cba4ae887d68d515747878f7eb
SHA2561c0c5ec3b629a75bbfa779a6ac0eb5ada16630d94debb9a252883b404ef48c37
SHA512c5583258f451e70f50439a8cb5d14e569e8c4f3b99b9ddcbe66825c77e925686b69ce40265cd0d177559a605154e23c3930926037f21b8b1c1b5f098ef885829
-
Filesize
91KB
MD5f494fdd3e3b61ef880e1409d1c419d63
SHA15a8b0f0069c1ab9bfc74505a5ef829dd401b70ea
SHA256df9df9604a90ad1094b55a9c6bc01c0218a8d0b485251d48e721c77357c32032
SHA5126c0a1169000ca24e0b0b6599485286a0c1e5e7965fff5593eddd112b9606f7ccddfb4353925b19fbf5cb8865ccf2dde81c60fd1013f169a1b8ac1e25ab0adc9c
-
Filesize
91KB
MD52d563c57e8cae69fe87c4a839e13a0bf
SHA1cf7d80216335a8569f2c661f2ba0cc01d2ac78ad
SHA2568aa8841dceb31ab1bdf06885e4b1c3f9032184b897b83bfa2e480c125103a565
SHA51282ef44d643655183ff3c607465e36329626eaf266eb8b8ec6c4039c5fadc1dcee3936bff03551a06900af2cd1be33892154420cf139e892729b3343d2a8a4b2f
-
Filesize
91KB
MD5d39ae577e35817ea88c96f327d350709
SHA14380f74866423cef71725577d982145bbbaf2237
SHA256f4b6962e11dc33c1f777c5aeb193e8ec7f43a06865a72f7bd7068f6915154ef3
SHA512cdd4e2392169acaccdb1edc2adee99241567ad58003e56241fd8407114b62a4d04d497efbe2b21f80b4f79186903e789d9b9bc0379ddd801b4295b6e917f2f49
-
Filesize
91KB
MD5e78f729f3104d84cacf038599ceec281
SHA13c6dfc30e530c6eb8b7a70dfe4f630eb3f04872e
SHA25615f392d63a99cae5abd4a7fc74250ea6700fe6c3a239d623e3fa8c8840075958
SHA512a4dcdf43e22d6de40680b04484fdf6a01fa1ec5164cba9f2310f483376101acf8f46ed6110aa0785c6ecb96cf2298ea982876d882867e930620b63f262b95a52
-
Filesize
91KB
MD50939685de6308fc1931ee7bf71b59496
SHA16eb4286fd8e42dc171d6d376335669dc7827aa06
SHA256da258f5ace4ea4c15044ca8f79e3f2d666f118b46eb85e6b91b7c484400bec5b
SHA512115824021549b17148229d00dc891a8300ef65c87f1c5e157406cdb90df4ed56151ff38c53145ff1ac566f8da3d0ccde462e7eb74a5ef6e68bbe8e9821f0e5bc
-
Filesize
91KB
MD5eabf2ba79bf9d0088f90141df63cd8d8
SHA182b621cdc5a69c0068a8dae5f689fcd1516bb2cd
SHA256b8d6a1f6b48f2c76c66ec558d008d695ec838258f325abc6a80182f58e3a24c3
SHA51279e42ec458b268fb4505c5bd4f47f1492cadbc29ecc62e5dd2bdee8788af64c1ccc9a10d2bc37d110c948ae1cacc941700e0328e7593d391028ea7af3c316525
-
Filesize
91KB
MD59a369ab633a265629c566ad9e7223f4f
SHA1f90df900cd5a3ded8be51fadfca7ca866296ae05
SHA2564f18a4531af5ad2b9e9abaffabc261edf7cb765bc4c42b11d007a3b399a679aa
SHA512329b26b519ca6339c83fd37bce9344001f24834633a54bde1b0efcabcaee463231f700953aea69c704ed04120f6c2635b26159faa94fb7569dc52e0ca84b7e83
-
Filesize
91KB
MD520a1af46e066a7b84b203caf279b59c2
SHA18205c2b26f45c262de0c4d864ab4cc8711c8ca00
SHA2566c5d4afabda022631fe3b1d44d3be1cd622ea89fc93ccd1c280cd9c70926f958
SHA512371319bab29a69639882c2abf6f62da6afd0e5a9dfe374b490f9db8a58e3aa168acb53ec08cb7ad8ca819f41b78e5f6691840f9a416e198724b5a2c2da95c98b
-
Filesize
91KB
MD508a72ec14363b6b6376f557e7ba20002
SHA1a7b21af6564e672e0a392eb46c3e78d0854aa47a
SHA2568817b20257a782adb83fbc7920ccb9843c7d0d97bb39b55525b6b2dfcd26ce1c
SHA51205bcab5dfe2a0c1d75ef0474a0de0ad9dc2e800fc712c0deee81df3fa9a755c9225a958b1131738fc686a1861c8b9b015a6a9ffe1f5f8df9fd949fe2bcd9ec95
-
Filesize
91KB
MD575bb52f00115e48d5aff3caaa1a9c316
SHA11fb3097c1d4d0bc0dc79c0e5e96f947551981ec8
SHA256fe29aa9022f4fdb6d07633fe15f2d7eac12bdcb47535a1fc6331301eac85fb48
SHA5121e5375788fcb85d9c819b433a65d2316e47eeaf419f86fa22690e71aa7f24f77f119ac51318ca9a8f450de6ed800cf9bcd148998e1dc17c969d273dde7a6c994
-
Filesize
91KB
MD594d0ca5ba15f3253be0cea37ef8aa1c2
SHA1cc68a301e08d7b9e5ebfb14e961f5e707de89817
SHA2563dfc4f05c190208c447efb227dce60912ef11a9bd4736fd331cd8690c9ac60c1
SHA512ab51985751a833ab8ff5f6a6c71345d341124aaa920760a8de330cef93ce5e17548424e2a073f121160debb4b901136dd40fdb8ea67c1e466c370dc9d55a7029
-
Filesize
91KB
MD5cfe9ecb7223a9a543682ab08258683aa
SHA139652a10144d59f3c37aa0cecd83c4fa9984b23d
SHA256492af391a4d22905edc5c3b7367263e1f3875a41c63d439d6fb9c920c2d62f50
SHA51287f25b50fbb99a7f08e4cff925f8a3b7309a21d4b6761232541febbb8f0c3b902063c8ef3401b963036d089da9a4ca38dca1da59205813042194b0ccd5075b7d
-
Filesize
91KB
MD5a37a34807b0223fd051abb8b8daf1e4b
SHA15374c22d1f1875a7959cba703554b088b17bfb7c
SHA25676a5d9b9372b2c687e14487a668b50046b4d654f09e77f2f4f87d939b2d8d181
SHA51249ca4f8900ebf4cd19f7fabdc46111dd1c426fc311c92e97bf2aff8f84d8e7c2ee9d474c887c418622f993a32ce21a03a5c930c9a75eab3bfd7e27330134d4de
-
Filesize
91KB
MD5c0e7aaba7ad4537e513c5396043d295b
SHA197e5c18ba1c9fd82c1f1d1d9388945eb7f773532
SHA2569384eb5ece09f99d81efaac7e11a515c375b457c38a548cfa1e7a39e7f443cc8
SHA512d6092818462cc26f3dea8223d6a71209da36f61224112e6ff19eb7e8f9393cd14f3aa52ce0dfb9d922a8732f0adde9aacd4bffca92b94979ea2eb52a51949ae3
-
Filesize
91KB
MD5eaf63ec77866eb85961ebd8f5745f04a
SHA13841724edd09f8148a17079e37f837792d71d961
SHA2561563f180faeb67a19f45cda7a8d5d08a6b2bcce5dce23f7667a6b32a4095aa78
SHA5121fd978777689d54f81942cea697deda9945f7ed2370094cec8b360375cce39e5acbaee4ef5135f875818f6171f88ac29af85a02ec2954259a0ccc7d069d54ac9
-
Filesize
91KB
MD5854a8404aeea3ed885b47a3b74e58282
SHA14bd1af896eb864a64daeac37a90e5d2b88c6b8b0
SHA2563efce51070d9a2a98a46c953466d564b2380ead851354c2b6e94f115ae0872bb
SHA51289b56fa551465aca8b1f7c89a8ef01b693fcd776e15f859726a5f7a4ea0ac7df2ed74e74364033b2e1facf2498da265bd543f5019c4efb67209650af3644c107
-
Filesize
91KB
MD5471e2dccde09621d9bfa73c2024c154c
SHA1a322e353313e12ba208833e5a5dbf9274fbfd0fa
SHA2561da8770fe800cc06fff1802331e7f1c84366bd36be15025d36eba5af6b2695d7
SHA5122f114bec9e0a68a170d295fec3b3c1ca06b98a0e9cbe1b4edaa6564951ae435defdd16d5bcc0ccbc087e371817159b15fd36f505ea0b4785934ca974deadb0d7