Analysis
-
max time kernel
96s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:04
Static task
static1
Behavioral task
behavioral1
Sample
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe
Resource
win10v2004-20241007-en
General
-
Target
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe
-
Size
872KB
-
MD5
e0edae4a46dd4ea2c3a68ad6f31a303c
-
SHA1
0c276ff55ba2851e08c62e5b6c902178acc423d8
-
SHA256
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60
-
SHA512
0be68fafa3ffb85bc978a1fca666e852efb55a3680489d35d64950d7c8990fce129f5935f97ec84de95f5149c51b0eab36a54c32732ddcff50ac96868589db8f
-
SSDEEP
24576:GDHFh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:4xbazR0v
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
Processes:
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exeCjpckf32.exeCmnpgb32.exeDknpmdfc.exeDhfajjoj.exeDdonekbl.exeDhmgki32.exeDejacond.exeDfnjafap.exeCjbpaf32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe -
Berbew family
-
Executes dropped EXE 10 IoCs
Processes:
Cjpckf32.exeCmnpgb32.exeCjbpaf32.exeDhfajjoj.exeDejacond.exeDdonekbl.exeDfnjafap.exeDhmgki32.exeDknpmdfc.exeDmllipeg.exepid process 1828 Cjpckf32.exe 2484 Cmnpgb32.exe 4964 Cjbpaf32.exe 4928 Dhfajjoj.exe 4580 Dejacond.exe 2060 Ddonekbl.exe 3836 Dfnjafap.exe 804 Dhmgki32.exe 3676 Dknpmdfc.exe 3116 Dmllipeg.exe -
Drops file in System32 directory 30 IoCs
Processes:
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exeCmnpgb32.exeCjbpaf32.exeDejacond.exeCjpckf32.exeDdonekbl.exeDhmgki32.exeDfnjafap.exeDhfajjoj.exeDknpmdfc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe File created C:\Windows\SysWOW64\Cjbpaf32.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Cmnpgb32.exe File created C:\Windows\SysWOW64\Eokchkmi.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Dejacond.exe File created C:\Windows\SysWOW64\Cacamdcd.dll 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Cjpckf32.exe 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Dejacond.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Dejacond.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Dhfajjoj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4440 3116 WerFault.exe Dmllipeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cjpckf32.exeDdonekbl.exeDmllipeg.exe9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exeCjbpaf32.exeDhfajjoj.exeDejacond.exeDfnjafap.exeDhmgki32.exeDknpmdfc.exeCmnpgb32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe -
Modifies registry class 33 IoCs
Processes:
Cjbpaf32.exeDejacond.exeDdonekbl.exeDfnjafap.exe9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exeCjpckf32.exeDhmgki32.exeDknpmdfc.exeDhfajjoj.exeCmnpgb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exeCjpckf32.exeCmnpgb32.exeCjbpaf32.exeDhfajjoj.exeDejacond.exeDdonekbl.exeDfnjafap.exeDhmgki32.exeDknpmdfc.exedescription pid process target process PID 1428 wrote to memory of 1828 1428 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Cjpckf32.exe PID 1428 wrote to memory of 1828 1428 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Cjpckf32.exe PID 1428 wrote to memory of 1828 1428 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe Cjpckf32.exe PID 1828 wrote to memory of 2484 1828 Cjpckf32.exe Cmnpgb32.exe PID 1828 wrote to memory of 2484 1828 Cjpckf32.exe Cmnpgb32.exe PID 1828 wrote to memory of 2484 1828 Cjpckf32.exe Cmnpgb32.exe PID 2484 wrote to memory of 4964 2484 Cmnpgb32.exe Cjbpaf32.exe PID 2484 wrote to memory of 4964 2484 Cmnpgb32.exe Cjbpaf32.exe PID 2484 wrote to memory of 4964 2484 Cmnpgb32.exe Cjbpaf32.exe PID 4964 wrote to memory of 4928 4964 Cjbpaf32.exe Dhfajjoj.exe PID 4964 wrote to memory of 4928 4964 Cjbpaf32.exe Dhfajjoj.exe PID 4964 wrote to memory of 4928 4964 Cjbpaf32.exe Dhfajjoj.exe PID 4928 wrote to memory of 4580 4928 Dhfajjoj.exe Dejacond.exe PID 4928 wrote to memory of 4580 4928 Dhfajjoj.exe Dejacond.exe PID 4928 wrote to memory of 4580 4928 Dhfajjoj.exe Dejacond.exe PID 4580 wrote to memory of 2060 4580 Dejacond.exe Ddonekbl.exe PID 4580 wrote to memory of 2060 4580 Dejacond.exe Ddonekbl.exe PID 4580 wrote to memory of 2060 4580 Dejacond.exe Ddonekbl.exe PID 2060 wrote to memory of 3836 2060 Ddonekbl.exe Dfnjafap.exe PID 2060 wrote to memory of 3836 2060 Ddonekbl.exe Dfnjafap.exe PID 2060 wrote to memory of 3836 2060 Ddonekbl.exe Dfnjafap.exe PID 3836 wrote to memory of 804 3836 Dfnjafap.exe Dhmgki32.exe PID 3836 wrote to memory of 804 3836 Dfnjafap.exe Dhmgki32.exe PID 3836 wrote to memory of 804 3836 Dfnjafap.exe Dhmgki32.exe PID 804 wrote to memory of 3676 804 Dhmgki32.exe Dknpmdfc.exe PID 804 wrote to memory of 3676 804 Dhmgki32.exe Dknpmdfc.exe PID 804 wrote to memory of 3676 804 Dhmgki32.exe Dknpmdfc.exe PID 3676 wrote to memory of 3116 3676 Dknpmdfc.exe Dmllipeg.exe PID 3676 wrote to memory of 3116 3676 Dknpmdfc.exe Dmllipeg.exe PID 3676 wrote to memory of 3116 3676 Dknpmdfc.exe Dmllipeg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 39612⤵
- Program crash
PID:4440
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3116 -ip 31161⤵PID:4680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD50fd65424693ee89a0575074802983033
SHA1e23c50c4fb41f08f94450c79663e4a3d645b346d
SHA25686f4648e3ad7367875b070618f99c5796f4c7aed3187b5ae479aced1eaa8e1a8
SHA512bf967b9b12d2445ee65d7e435ae278f1ccb59cfa486fb47f51ce4d5974262653e552db3ee0c5e90a16d437bd8864501c77fa187926e816fcce498eb0a2d7989c
-
Filesize
872KB
MD5dd05e32fc15d7f926df8e652f8f603fe
SHA1a0f834b14cebde502f49e809df756ae699bd40fd
SHA256db628b54a00fe778912e20b782533d36b7b5bcb36c9356f4ce0296990c8cfd1f
SHA5120026809a06c5ff8c02473b30eb7313f60bcddd5b44c51d82b514cca436753c9d11212a22ca1492c20f492f480562c019129c83d12890c8e69b9343ffa3f4d994
-
Filesize
872KB
MD514739f26ce659f15b463a303e7802490
SHA18be1e29adc041d36126c716801fe36359328694b
SHA2565be20caa50de0b82aeebd25c5482b0192bcdc6db55ea0b0c4a23c5ef054cb5c9
SHA51212b9a39bb189e060f4ab8cc8c87be8702d43aa5fa44a6371c2dd7081e42907fb273ce5290dd2f9e804d76c38ebec0dbb67f93a2d677ee1789738c8c01a6fb663
-
Filesize
872KB
MD5adbd4eecab755b30eadeae58958c9c53
SHA19d7e035d2443b2a714d4dbcb2d8096982433c69a
SHA2565f0845d62c47e447837ccdcfb971e4ea3664f0fd56ae5db31de86815e64cc597
SHA512f4cb2e194659a852507648687b4ef2fa3aeb1344e153d5d73eb639fcecf3a48f3410219c17fe13921ad2c70f7508776c509926fc0587fc3177191ec17f9e0c8b
-
Filesize
872KB
MD5eb12302d512caab91f8e68f4a5b1e729
SHA10f8660ba2ba288f5049b882b0250853022e2bb45
SHA256645f10af7a6412f9c2b7db8cedcaf102e61e903bf8837347c067b124e7d7cb10
SHA51235d9660303d123a99db1dc10efd9ab4778cfe96430cecaba32e67a5ad16e0883905fda4f7369570391669d5f9a5296cf9b634965105f2a493ec1a82398681a7e
-
Filesize
872KB
MD5c0f38a7a05bb99495647d46a13406869
SHA101169263fd43a81fd85ea345470f88ebc8468349
SHA25696ea1ad0a345ea40f686e9c73e45e7f5d01d6a511f2f65a868b0e319b8be2c4d
SHA51280214ed320875987eccd6c12cd562883697252d5891570634b2f8cafc25820496d6fc4f9b2ac531128384b8a26ec6314ed4ad46bf66c6a7f648618253e568aa0
-
Filesize
872KB
MD5b55cfc59ea752dca727da5e972afaea3
SHA1b32f6c3817ef07e87fb6779aa8900a1a78b4f533
SHA2561ba49d67128b0877c60ce3ab4948f578ea35f9727208dcc2c80b3f0e97ed9ae3
SHA512dc31ec8d4296e767a8322a66de3b7fbe6d75118fc6893928befcd29d9c8cfd4f2d9efc68758fc59900715fcd101a91797c36bc7c8257b27f945dc8648287322d
-
Filesize
872KB
MD56ff6fde0109989034a552cf271846bb0
SHA145360b4e7651c52b77bb706ad71da0d68133972e
SHA256fd77e6f0c4dda1102e8d2530e709dd4f480695df07f5e7288a7b99ccd42ba190
SHA512656de7896cb3c26c9dfb1d26b480d7f4ac7b96ebc2c8e4815d9bae46de0e8a36137ed352a8a7f2d40780deed3176e609f87f8de50f5303a07c5c3f79099c5982
-
Filesize
872KB
MD55a4cd14951e30219eaa39a9ba4659e40
SHA12a3393c355f3dce72ea2de8b656759178d9926ea
SHA25619f9cbd5ca440147aa464debfba7c97b55eca24b6d7887165d0866309b6b8f77
SHA512c1fdb70bba0b0f52dbaa8a09cf7a4f0af1074c5f5d1cd9715b3dc412fd6782d6ffcaf0ce92621fa4f7464ae0bb241e7702374b9c51bb255143931bc3c3a0d2b3
-
Filesize
872KB
MD5b1fdf715cf14af037acac051e4f89c17
SHA1031c9f2478713078c709b864fae23d5a1868a06f
SHA256d86625df6c92abd1def9fef79f2fca39c8d6d5a11ce1c40cb24c3a84773b263e
SHA512f90a40d8ea383c4cf148df121a21ffcd53d3a79c4cab9ac5e253f46e5959a8e14fce20c758483e81befe5eae4877883331afac0868f8fc8856dc0e6fb2312284