Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:05
Behavioral task
behavioral1
Sample
9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe
Resource
win10v2004-20241007-en
General
-
Target
9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe
-
Size
128KB
-
MD5
7d976140cde1e2527006129321410b74
-
SHA1
7542e04d3bf41e168f7d3269506f3747228bed10
-
SHA256
9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2
-
SHA512
30aa2628db8e1bcde1f2aae0f2cdcd71e21485eefa8afefea8c0613272c5183c565144fa9d91116f243e1b5cdedd9ef8ef05549b1ce9ba1b622196c676143593
-
SSDEEP
3072:pZld0+59gmrBCJocOw8asCHNhMXi6Y0HYSx9m9jqLsFmp:Nd/rBCrO2xUS6UJjws6
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs
Processes:
Daekdooc.exeCjbpaf32.exeDfnjafap.exeDfpgffpm.exeDgbdlf32.exeDdonekbl.exeDeokon32.exeCegdnopg.exeDjdmffnn.exeDaqbip32.exeDjgjlelk.exeDhocqigp.exeCmqmma32.exeDhhnpjmh.exeDmcibama.exeDodbbdbb.exe9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exeCdhhdlid.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodbbdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdmffnn.exe -
Berbew family
-
Executes dropped EXE 18 IoCs
Processes:
Cdhhdlid.exeCjbpaf32.exeCmqmma32.exeCegdnopg.exeDjdmffnn.exeDmcibama.exeDhhnpjmh.exeDjgjlelk.exeDaqbip32.exeDdonekbl.exeDfnjafap.exeDodbbdbb.exeDeokon32.exeDfpgffpm.exeDaekdooc.exeDhocqigp.exeDgbdlf32.exeDmllipeg.exepid process 1028 Cdhhdlid.exe 1884 Cjbpaf32.exe 3504 Cmqmma32.exe 1060 Cegdnopg.exe 1400 Djdmffnn.exe 1992 Dmcibama.exe 536 Dhhnpjmh.exe 4888 Djgjlelk.exe 2120 Daqbip32.exe 448 Ddonekbl.exe 4068 Dfnjafap.exe 3840 Dodbbdbb.exe 4008 Deokon32.exe 1472 Dfpgffpm.exe 1532 Daekdooc.exe 4668 Dhocqigp.exe 2232 Dgbdlf32.exe 2320 Dmllipeg.exe -
Drops file in System32 directory 54 IoCs
Processes:
Dmcibama.exeDdonekbl.exeDodbbdbb.exeCdhhdlid.exeCegdnopg.exeDjgjlelk.exeDfnjafap.exeDeokon32.exeCjbpaf32.exeDhocqigp.exeDjdmffnn.exeDaekdooc.exeDfpgffpm.exeCmqmma32.exeDhhnpjmh.exeDgbdlf32.exeDaqbip32.exe9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Dmcibama.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Amfoeb32.dll Dodbbdbb.exe File created C:\Windows\SysWOW64\Cjbpaf32.exe Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Daqbip32.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Deokon32.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Deokon32.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Hdhpgj32.dll Cegdnopg.exe File created C:\Windows\SysWOW64\Dhhnpjmh.exe Dmcibama.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Dmcibama.exe File created C:\Windows\SysWOW64\Beeppfin.dll Dhhnpjmh.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe File created C:\Windows\SysWOW64\Kmfjodai.dll Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Jdipdgch.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Elkadb32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Cmqmma32.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Deokon32.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File created C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Deokon32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Cdhhdlid.exe 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Daqbip32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3932 2320 WerFault.exe Dmllipeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exeCdhhdlid.exeCmqmma32.exeDdonekbl.exeDodbbdbb.exeDaekdooc.exeDhocqigp.exeDmllipeg.exeDjdmffnn.exeDaqbip32.exeCjbpaf32.exeCegdnopg.exeDmcibama.exeDhhnpjmh.exeDfpgffpm.exeDgbdlf32.exeDjgjlelk.exeDfnjafap.exeDeokon32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe -
Modifies registry class 57 IoCs
Processes:
Dhocqigp.exe9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exeCmqmma32.exeDaqbip32.exeDaekdooc.exeCdhhdlid.exeCegdnopg.exeDodbbdbb.exeCjbpaf32.exeDeokon32.exeDjgjlelk.exeDjdmffnn.exeDhhnpjmh.exeDfnjafap.exeDgbdlf32.exeDfpgffpm.exeDmcibama.exeDdonekbl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmqmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Dhhnpjmh.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exeCdhhdlid.exeCjbpaf32.exeCmqmma32.exeCegdnopg.exeDjdmffnn.exeDmcibama.exeDhhnpjmh.exeDjgjlelk.exeDaqbip32.exeDdonekbl.exeDfnjafap.exeDodbbdbb.exeDeokon32.exeDfpgffpm.exeDaekdooc.exeDhocqigp.exeDgbdlf32.exedescription pid process target process PID 3648 wrote to memory of 1028 3648 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Cdhhdlid.exe PID 3648 wrote to memory of 1028 3648 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Cdhhdlid.exe PID 3648 wrote to memory of 1028 3648 9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe Cdhhdlid.exe PID 1028 wrote to memory of 1884 1028 Cdhhdlid.exe Cjbpaf32.exe PID 1028 wrote to memory of 1884 1028 Cdhhdlid.exe Cjbpaf32.exe PID 1028 wrote to memory of 1884 1028 Cdhhdlid.exe Cjbpaf32.exe PID 1884 wrote to memory of 3504 1884 Cjbpaf32.exe Cmqmma32.exe PID 1884 wrote to memory of 3504 1884 Cjbpaf32.exe Cmqmma32.exe PID 1884 wrote to memory of 3504 1884 Cjbpaf32.exe Cmqmma32.exe PID 3504 wrote to memory of 1060 3504 Cmqmma32.exe Cegdnopg.exe PID 3504 wrote to memory of 1060 3504 Cmqmma32.exe Cegdnopg.exe PID 3504 wrote to memory of 1060 3504 Cmqmma32.exe Cegdnopg.exe PID 1060 wrote to memory of 1400 1060 Cegdnopg.exe Djdmffnn.exe PID 1060 wrote to memory of 1400 1060 Cegdnopg.exe Djdmffnn.exe PID 1060 wrote to memory of 1400 1060 Cegdnopg.exe Djdmffnn.exe PID 1400 wrote to memory of 1992 1400 Djdmffnn.exe Dmcibama.exe PID 1400 wrote to memory of 1992 1400 Djdmffnn.exe Dmcibama.exe PID 1400 wrote to memory of 1992 1400 Djdmffnn.exe Dmcibama.exe PID 1992 wrote to memory of 536 1992 Dmcibama.exe Dhhnpjmh.exe PID 1992 wrote to memory of 536 1992 Dmcibama.exe Dhhnpjmh.exe PID 1992 wrote to memory of 536 1992 Dmcibama.exe Dhhnpjmh.exe PID 536 wrote to memory of 4888 536 Dhhnpjmh.exe Djgjlelk.exe PID 536 wrote to memory of 4888 536 Dhhnpjmh.exe Djgjlelk.exe PID 536 wrote to memory of 4888 536 Dhhnpjmh.exe Djgjlelk.exe PID 4888 wrote to memory of 2120 4888 Djgjlelk.exe Daqbip32.exe PID 4888 wrote to memory of 2120 4888 Djgjlelk.exe Daqbip32.exe PID 4888 wrote to memory of 2120 4888 Djgjlelk.exe Daqbip32.exe PID 2120 wrote to memory of 448 2120 Daqbip32.exe Ddonekbl.exe PID 2120 wrote to memory of 448 2120 Daqbip32.exe Ddonekbl.exe PID 2120 wrote to memory of 448 2120 Daqbip32.exe Ddonekbl.exe PID 448 wrote to memory of 4068 448 Ddonekbl.exe Dfnjafap.exe PID 448 wrote to memory of 4068 448 Ddonekbl.exe Dfnjafap.exe PID 448 wrote to memory of 4068 448 Ddonekbl.exe Dfnjafap.exe PID 4068 wrote to memory of 3840 4068 Dfnjafap.exe Dodbbdbb.exe PID 4068 wrote to memory of 3840 4068 Dfnjafap.exe Dodbbdbb.exe PID 4068 wrote to memory of 3840 4068 Dfnjafap.exe Dodbbdbb.exe PID 3840 wrote to memory of 4008 3840 Dodbbdbb.exe Deokon32.exe PID 3840 wrote to memory of 4008 3840 Dodbbdbb.exe Deokon32.exe PID 3840 wrote to memory of 4008 3840 Dodbbdbb.exe Deokon32.exe PID 4008 wrote to memory of 1472 4008 Deokon32.exe Dfpgffpm.exe PID 4008 wrote to memory of 1472 4008 Deokon32.exe Dfpgffpm.exe PID 4008 wrote to memory of 1472 4008 Deokon32.exe Dfpgffpm.exe PID 1472 wrote to memory of 1532 1472 Dfpgffpm.exe Daekdooc.exe PID 1472 wrote to memory of 1532 1472 Dfpgffpm.exe Daekdooc.exe PID 1472 wrote to memory of 1532 1472 Dfpgffpm.exe Daekdooc.exe PID 1532 wrote to memory of 4668 1532 Daekdooc.exe Dhocqigp.exe PID 1532 wrote to memory of 4668 1532 Daekdooc.exe Dhocqigp.exe PID 1532 wrote to memory of 4668 1532 Daekdooc.exe Dhocqigp.exe PID 4668 wrote to memory of 2232 4668 Dhocqigp.exe Dgbdlf32.exe PID 4668 wrote to memory of 2232 4668 Dhocqigp.exe Dgbdlf32.exe PID 4668 wrote to memory of 2232 4668 Dhocqigp.exe Dgbdlf32.exe PID 2232 wrote to memory of 2320 2232 Dgbdlf32.exe Dmllipeg.exe PID 2232 wrote to memory of 2320 2232 Dgbdlf32.exe Dmllipeg.exe PID 2232 wrote to memory of 2320 2232 Dgbdlf32.exe Dmllipeg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe"C:\Users\Admin\AppData\Local\Temp\9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 39620⤵
- Program crash
PID:3932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2320 -ip 23201⤵PID:3916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD52f502477584b0f3a99cd0dec9cf59e16
SHA189e60d195c04250a32f6611fa81171c77f2a855e
SHA25650e83dfba8c12418019572b513e0c793b6539c4e31b5ca999900c785945e363a
SHA5129b951cefd8cec12d6b105f1a7799eabbd84dc39c998f52452544c87490c6ffd3bfcc8846df33925327f5bc6028c75daa03b7cfdc4f551d0267b377748fcd23b2
-
Filesize
128KB
MD57d094d7ef29bbd44574e9c6223fec81c
SHA1473f4172600d1c5ab2cb9e3c6c12091e4dd03722
SHA25694d8f94d4165005abbd246699ed2c5074bb799f40f8d2cec209bbad2528c591e
SHA512e23dc6f1cf2a57a7875161cb16d8546f9ba87013f8e28ef41364bb7f40445748e99276b15e496639027cf0b61a6e8ec60397b2d595e9fa709f425f9969b854e6
-
Filesize
128KB
MD5178c171f15dd007322039b36903c0dc3
SHA170d682b4911176492993ce15109de5b49b00aaa5
SHA2567baeceed5147ebc29a3f497665c5b66f67fd9f411564b723a2013aa7b4c5e7dc
SHA512c3ef08373117211b41d2e05d6a48f9e7051263f3c149bb0d1107b62d0e704cb262e75031c45f5d1998efe8c01a070b8436fa5bf5695629ce55e61b04b067acd7
-
Filesize
128KB
MD5e502e619e16c00cb3926d376b3aab16f
SHA1c807fc444e181303b3bd2904eefb7606f99eadbb
SHA2566e1cd8e1da12371249dbbbdad07554cd62b0cc8a494e5264858ea81c3e156555
SHA512bd1e26553892bd181caaf62a8ca42b8373d2da98b0198a27486018dee6124f8a7be4667c9fa52181f779feb024291b93f8673cbe381c0c8394cef81af6633426
-
Filesize
128KB
MD550f62ab096a19932e93e877ca3ca9109
SHA11fed04c0dd836dd5787ac257ce200a2507e40fe6
SHA2560b9a1ff8fcfcafad6e7218675347fc1abf13129a17c0d5fba6314af589a75d43
SHA51217c572d8c7e21d0719f5a3e4d0bba9946325a0fea98ada4e6c611d03b0a0a4a683463b7c6fa4acb056b4400abb8697e8378e120641a162731f231ae3af40d04d
-
Filesize
128KB
MD57389053063d86ac3555343f5a20a98b9
SHA1f42bc2f825bddebb9998a9a9f2b48320d0488099
SHA256267c887973b1e3c12505d1a04d9a4a551809bc3615343eb3528ddc2d974e62a4
SHA5127581fe42583583e736a62c42d785a981f25142b70e10af4a33213fdd3bb363c4e705f10eb72c35253bec802993b6103f6dab740ec8b31cd92ec496ad5be14ec9
-
Filesize
128KB
MD5ce60674c472d37236fdd873d1f30b043
SHA146ed505b39116ab4b66de41eee0f3ab533fcf7ac
SHA256aab0961298f788ae4bca295f56297fbe4ef712725f53148364e7245cbb611979
SHA512bbbb11024ab31fbe25108a25b6a70ea912cf8baa4067ca725d15c105cf08017aa898b86b553a3f400c978b9b952fa6ae6b6be8671c29cf688fe8c99905158c23
-
Filesize
128KB
MD56441def16e17bc2a6d7294661c346d32
SHA1acfbc13ba08dab8bc39f4b53b9c444c267459493
SHA2561953d00238e64b11d242b58ecf564a96e6d2a74aae1617250622beb27097f97e
SHA512a2547285d6e628e872b596681d5aa01f290a48bcf665b5d073f0b2fc4d535616944d12c65c1d92083b27c72e95b7ab2c7ecfa8ed5d27b8f43afcf98a061c6bf0
-
Filesize
128KB
MD55a9f9f82bcbf67315c2fd2764fda52c8
SHA1efda91136e432c1302640d55707f61c4bb71383a
SHA256947d0151e60be0452a0ab0502bdb68f99c6c2242d513a09ff707e5cbfb176d28
SHA512697b756eec3d5bf9dbd34070bc7cc68395cd2a8653645bd4cb8cd4635541ff61a27babb6b1303283da5dd6e64984295280d4faa46fc68d66d8969eee94c44501
-
Filesize
128KB
MD5ea46d22b887fb27a06d452ea6c43788a
SHA12d5ce6d3892850b4c452879e4c86b54e7d68605b
SHA2560f7029ed24c98b9d2ec489812f7f365487ab98c35a851e7f14eb8cb2962208e0
SHA51212481e20128217ad426f4630febfd0b31b1f7fbc09e726ba57e1f3b80acdcd678cc13e10305bdeef5dae740e229f7534722e452151c73416dfebc0d60fcc5aea
-
Filesize
128KB
MD584d96bfd9abe1ee62b76974175874981
SHA1d5d33e25d152ae1d855264f09493d344c8c82a0a
SHA256f31e3b2b598fdd0f5b6ce4331da5f86b86869823220fa5f7f5319e4ac49316e6
SHA512dda55655781497055b6ef348177eecf6ac3a2f77af0733cb212eb85fb81b3cf1282fc0aa9545131a3586c13b4adf813443780cace160b4769bdec91f1dde55b3
-
Filesize
128KB
MD5635deff47c0d596ade944e4cc4297a7b
SHA116b8546433f0598a0124edb8f94188eedcf87866
SHA256332d432cb4b9346adc53e3486d0ba314e6c577861b756164e96b24c0d65f6c75
SHA512df3158f6ec52234a1a808753e3e6905277ae6351465c2f9290c8d4f6dd0097bbf10f0ee6a3979f9791302840f1089de0693ea9f2a878f73a0d4d3e2b5087783d
-
Filesize
128KB
MD5dc5de9fedd310fd2182215fa3bb8ff34
SHA1a12bb5cef1cf58a95e8c47eba7b67fb3eabe4889
SHA256f376822f10e895884d49db89bd9e77066fae3a0248a858071f2e63c970cd9113
SHA5121e721cbfddc69f3a9a522785ce6d49ebda358a5eb60fda9c0ee41da733c2335431b19c305b83c7173ffbcf413530d0dd870f16d1631ae9da9a18b684fc07fe7d
-
Filesize
128KB
MD564ea93c8fcd7c77df4d6a5716dd584dd
SHA10b4adae4ad47e8cc388558d43cfb6ca1425f8357
SHA2560a0918de7e1d7ef4636b9a378c5cb4f72ecf568cba6166fb653113ced68ab584
SHA512ccf141ef386b09a762340ec405b6b10082be264fcae460095531e66b7f8284a35c930a1134a1fea55930551191364fd56eff176f4724c0bc8c2d13b8c3d1c136
-
Filesize
128KB
MD5a1749b58a77b60fe6c01c725a9bf899c
SHA184a44e56e03dfcf12e076382cac4367ee9a59044
SHA2563e59eb799a17649c70443a68b6daa6866c0d69736f9d50125ac7b294f5e96559
SHA5124bf19dd0c217ad8b61a73b0d513542f8a2614735a2926a364ade256200df61851c7932182b21b5c2ef2e7478c6e2d21661d126b13eaeea83055a90028555a256
-
Filesize
128KB
MD5d405653c17935dc9546cecc8671a9e44
SHA12b2193be5dc6fae9d522801d022343f02d5340bf
SHA25632c9fd8777cecb8c5182b96503daa7a7c1729c495567f41730c2a9eebe8723c2
SHA5122d0e1d33ef3f7ea112ba02ce4f9c760255a3c200c86f5de2a0b2c24ed77317f774018189b4c0036250bdacff6f7a2a684d8c0b5b26b78ba75c6183c19e64799c
-
Filesize
128KB
MD5ed7aea2799a14d4bedbeb9c88553368e
SHA1af22c7b6e3906cdeb9bebd99ae5d0f2287c8fec0
SHA2567bb0d290280269c040987d3ae73c2e86afc8551755b223cd3731222cb9d6a3da
SHA5120b3899d559821116c8402e861236ebdd022fb1e25535254f83acff33ffdfa7befa7fa7b334403a3acbe771998e01e1829eb762861ef5137040c72eab435e2b94
-
Filesize
128KB
MD5d9e0aaa86bea7fbfc51b6aaa21070b99
SHA170e7ade0cd0e27c47647a9076191cc0f67dc4918
SHA25694a5a2f2e9b17dd30a8a74f2e432e2a4d319b472c93738d4fce87ddce0bb2099
SHA512407663693fb3344604dadd50dd722cb2920f0c9430184122dbc61319d200b38330c35fe135e0d729744a13e90ae05d9ee4b1e74edbdfdfb7ee97eb9b002e90b5