Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe
Resource
win10v2004-20241007-en
General
-
Target
b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe
-
Size
96KB
-
MD5
9aa6ffdfbb487027e0dc36ca34c57648
-
SHA1
33163705d46a0d227ec968b969eea15660800fd1
-
SHA256
b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28
-
SHA512
3e7d625b807bd9de1fd6d70ff4f65f472cc4670b4d31d2e893afaf4a9c322432ec7fe16a13bb6d7465280642e90ea0b757cfceb2666c4c3c133b8a0230e8e5f9
-
SSDEEP
1536:BMmTtxcJZpvPlhSPkDamlXfiNno1OpiByPNj0OL3hhrUQVoMdUT+irF:BMmTtxcbNdgMnQVj0OLxhr1Rhk
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bjddphlq.exeCffdpghg.exeCmqmma32.exeDodbbdbb.exeCfpnph32.exeCnffqf32.exeChjaol32.exeDfnjafap.exeDmgbnq32.exeDhocqigp.exeBfabnjjp.exeBfkedibe.exeDdakjkqi.exeDogogcpo.exeDjgjlelk.exeBmpcfdmg.exeCfbkeh32.exeDjdmffnn.exeAgoabn32.exeCmiflbel.exeDhhnpjmh.exeDmefhako.exeBeglgani.exeBanllbdn.exeCeckcp32.exeBganhm32.exeDknpmdfc.exeDoilmc32.exeBebblb32.exeBgehcmmm.exeDfiafg32.exeCeqnmpfo.exeDmcibama.exeb51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exeBmngqdpj.exeBeeoaapl.exeChagok32.exeCndikf32.exeBcoenmao.exeCajlhqjp.exeDelnin32.exeAadifclh.exeCenahpha.exeCdhhdlid.exeDfpgffpm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodbbdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcoenmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe -
Berbew family
-
Executes dropped EXE 54 IoCs
Processes:
Aadifclh.exeAepefb32.exeAgoabn32.exeBfabnjjp.exeBebblb32.exeBganhm32.exeBmngqdpj.exeBeeoaapl.exeBgcknmop.exeBmpcfdmg.exeBeglgani.exeBgehcmmm.exeBjddphlq.exeBanllbdn.exeBclhhnca.exeBfkedibe.exeBmemac32.exeBcoenmao.exeChjaol32.exeCndikf32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCmiflbel.exeCeqnmpfo.exeCfbkeh32.exeCmlcbbcj.exeCeckcp32.exeChagok32.exeCajlhqjp.exeCeehho32.exeCdhhdlid.exeCffdpghg.exeCmqmma32.exeCalhnpgn.exeDfiafg32.exeDjdmffnn.exeDmcibama.exeDanecp32.exeDhhnpjmh.exeDjgjlelk.exeDmefhako.exeDelnin32.exeDfnjafap.exeDodbbdbb.exeDmgbnq32.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDaekdooc.exeDhocqigp.exeDknpmdfc.exeDoilmc32.exeDmllipeg.exepid process 2324 Aadifclh.exe 4084 Aepefb32.exe 2164 Agoabn32.exe 3064 Bfabnjjp.exe 4884 Bebblb32.exe 2596 Bganhm32.exe 2648 Bmngqdpj.exe 2928 Beeoaapl.exe 2660 Bgcknmop.exe 5092 Bmpcfdmg.exe 4380 Beglgani.exe 2392 Bgehcmmm.exe 4736 Bjddphlq.exe 2828 Banllbdn.exe 8 Bclhhnca.exe 1436 Bfkedibe.exe 4076 Bmemac32.exe 2800 Bcoenmao.exe 3352 Chjaol32.exe 776 Cndikf32.exe 3608 Cenahpha.exe 3356 Cfpnph32.exe 1256 Cnffqf32.exe 2424 Cmiflbel.exe 1972 Ceqnmpfo.exe 4652 Cfbkeh32.exe 3096 Cmlcbbcj.exe 1620 Ceckcp32.exe 624 Chagok32.exe 5112 Cajlhqjp.exe 4920 Ceehho32.exe 1460 Cdhhdlid.exe 2856 Cffdpghg.exe 2096 Cmqmma32.exe 1360 Calhnpgn.exe 4572 Dfiafg32.exe 4080 Djdmffnn.exe 3740 Dmcibama.exe 3656 Danecp32.exe 812 Dhhnpjmh.exe 1200 Djgjlelk.exe 744 Dmefhako.exe 5004 Delnin32.exe 1188 Dfnjafap.exe 2300 Dodbbdbb.exe 3292 Dmgbnq32.exe 1392 Ddakjkqi.exe 228 Dfpgffpm.exe 3824 Dogogcpo.exe 3308 Daekdooc.exe 2168 Dhocqigp.exe 3060 Dknpmdfc.exe 2984 Doilmc32.exe 4848 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Chjaol32.exeCenahpha.exeDanecp32.exeBeglgani.exeBanllbdn.exeBfkedibe.exeCdhhdlid.exeAadifclh.exeAepefb32.exeBmpcfdmg.exeDhhnpjmh.exeDfnjafap.exeBfabnjjp.exeBgehcmmm.exeCeehho32.exeDfiafg32.exeDmefhako.exeDknpmdfc.exeBganhm32.exeCffdpghg.exeDodbbdbb.exeCndikf32.exeCmqmma32.exeBmngqdpj.exeBgcknmop.exeCnffqf32.exeCfbkeh32.exeDjdmffnn.exeDjgjlelk.exeCfpnph32.exeCmlcbbcj.exeDdakjkqi.exeBeeoaapl.exeBmemac32.exeDfpgffpm.exeDaekdooc.exeBclhhnca.exeCmiflbel.exeCeckcp32.exeDelnin32.exeDogogcpo.exeBjddphlq.exeCajlhqjp.exedescription ioc process File created C:\Windows\SysWOW64\Fqjamcpe.dll Chjaol32.exe File created C:\Windows\SysWOW64\Flgehc32.dll Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Danecp32.exe File created C:\Windows\SysWOW64\Ebdijfii.dll Beglgani.exe File created C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Bmemac32.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Dchfiejc.dll Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Aepefb32.exe Aadifclh.exe File created C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File opened for modification C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bfabnjjp.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe Ceehho32.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Leqcid32.dll Bganhm32.exe File created C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Bmhnkg32.dll Bmpcfdmg.exe File created C:\Windows\SysWOW64\Mkijij32.dll Cndikf32.exe File created C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Calhnpgn.exe Cmqmma32.exe File created C:\Windows\SysWOW64\Doilmc32.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Beeoaapl.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Bmpcfdmg.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe Cfbkeh32.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cmqmma32.exe File created C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Bmemac32.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Lfjhbihm.dll Cfpnph32.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Cenahpha.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cmlcbbcj.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Beeoaapl.exe File created C:\Windows\SysWOW64\Hhqeiena.dll Bgehcmmm.exe File created C:\Windows\SysWOW64\Mmnbeadp.dll Bmemac32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Elkadb32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cffdpghg.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Bclhhnca.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe File created C:\Windows\SysWOW64\Chagok32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bjddphlq.exe File created C:\Windows\SysWOW64\Mogqfgka.dll Bfkedibe.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cajlhqjp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4352 4848 WerFault.exe Dmllipeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 55 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dmllipeg.exeCffdpghg.exeCmqmma32.exeDknpmdfc.exeDanecp32.exeBganhm32.exeCndikf32.exeCfbkeh32.exeAadifclh.exeBgcknmop.exeChjaol32.exeDelnin32.exeBanllbdn.exeBmemac32.exeCfpnph32.exeDogogcpo.exeCenahpha.exeCalhnpgn.exeBeeoaapl.exeBmpcfdmg.exeBjddphlq.exeDdakjkqi.exeBgehcmmm.exeBclhhnca.exeCdhhdlid.exeBfabnjjp.exeBeglgani.exeCeckcp32.exeBcoenmao.exeCeehho32.exeDhhnpjmh.exeCeqnmpfo.exeDmcibama.exeDmgbnq32.exeAepefb32.exeBmngqdpj.exeDfnjafap.exeDmefhako.exeDfpgffpm.exeDoilmc32.exeb51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exeCmlcbbcj.exeDjdmffnn.exeDhocqigp.exeCmiflbel.exeChagok32.exeDaekdooc.exeDfiafg32.exeDjgjlelk.exeDodbbdbb.exeAgoabn32.exeBebblb32.exeBfkedibe.exeCnffqf32.exeCajlhqjp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgehcmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhhnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoenmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepefb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlcbbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkedibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe -
Modifies registry class 64 IoCs
Processes:
Ceckcp32.exeChagok32.exeCeehho32.exeCdhhdlid.exeCalhnpgn.exeDhhnpjmh.exeDmgbnq32.exeDogogcpo.exeDhocqigp.exeDoilmc32.exeBeeoaapl.exeBeglgani.exeBjddphlq.exeDjgjlelk.exeb51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exeCmlcbbcj.exeCndikf32.exeCmiflbel.exeChjaol32.exeBgcknmop.exeDdakjkqi.exeBfkedibe.exeCnffqf32.exeCfbkeh32.exeDanecp32.exeDelnin32.exeDmefhako.exeCfpnph32.exeCffdpghg.exeAepefb32.exeDjdmffnn.exeBclhhnca.exeDodbbdbb.exeDaekdooc.exeAgoabn32.exeBebblb32.exeBmpcfdmg.exeBmemac32.exeCenahpha.exeDfiafg32.exeDmcibama.exeBmngqdpj.exeDknpmdfc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bclhhnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dmcibama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknpmdfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exeAadifclh.exeAepefb32.exeAgoabn32.exeBfabnjjp.exeBebblb32.exeBganhm32.exeBmngqdpj.exeBeeoaapl.exeBgcknmop.exeBmpcfdmg.exeBeglgani.exeBgehcmmm.exeBjddphlq.exeBanllbdn.exeBclhhnca.exeBfkedibe.exeBmemac32.exeBcoenmao.exeChjaol32.exeCndikf32.exeCenahpha.exedescription pid process target process PID 4392 wrote to memory of 2324 4392 b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Aadifclh.exe PID 4392 wrote to memory of 2324 4392 b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Aadifclh.exe PID 4392 wrote to memory of 2324 4392 b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe Aadifclh.exe PID 2324 wrote to memory of 4084 2324 Aadifclh.exe Aepefb32.exe PID 2324 wrote to memory of 4084 2324 Aadifclh.exe Aepefb32.exe PID 2324 wrote to memory of 4084 2324 Aadifclh.exe Aepefb32.exe PID 4084 wrote to memory of 2164 4084 Aepefb32.exe Agoabn32.exe PID 4084 wrote to memory of 2164 4084 Aepefb32.exe Agoabn32.exe PID 4084 wrote to memory of 2164 4084 Aepefb32.exe Agoabn32.exe PID 2164 wrote to memory of 3064 2164 Agoabn32.exe Bfabnjjp.exe PID 2164 wrote to memory of 3064 2164 Agoabn32.exe Bfabnjjp.exe PID 2164 wrote to memory of 3064 2164 Agoabn32.exe Bfabnjjp.exe PID 3064 wrote to memory of 4884 3064 Bfabnjjp.exe Bebblb32.exe PID 3064 wrote to memory of 4884 3064 Bfabnjjp.exe Bebblb32.exe PID 3064 wrote to memory of 4884 3064 Bfabnjjp.exe Bebblb32.exe PID 4884 wrote to memory of 2596 4884 Bebblb32.exe Bganhm32.exe PID 4884 wrote to memory of 2596 4884 Bebblb32.exe Bganhm32.exe PID 4884 wrote to memory of 2596 4884 Bebblb32.exe Bganhm32.exe PID 2596 wrote to memory of 2648 2596 Bganhm32.exe Bmngqdpj.exe PID 2596 wrote to memory of 2648 2596 Bganhm32.exe Bmngqdpj.exe PID 2596 wrote to memory of 2648 2596 Bganhm32.exe Bmngqdpj.exe PID 2648 wrote to memory of 2928 2648 Bmngqdpj.exe Beeoaapl.exe PID 2648 wrote to memory of 2928 2648 Bmngqdpj.exe Beeoaapl.exe PID 2648 wrote to memory of 2928 2648 Bmngqdpj.exe Beeoaapl.exe PID 2928 wrote to memory of 2660 2928 Beeoaapl.exe Bgcknmop.exe PID 2928 wrote to memory of 2660 2928 Beeoaapl.exe Bgcknmop.exe PID 2928 wrote to memory of 2660 2928 Beeoaapl.exe Bgcknmop.exe PID 2660 wrote to memory of 5092 2660 Bgcknmop.exe Bmpcfdmg.exe PID 2660 wrote to memory of 5092 2660 Bgcknmop.exe Bmpcfdmg.exe PID 2660 wrote to memory of 5092 2660 Bgcknmop.exe Bmpcfdmg.exe PID 5092 wrote to memory of 4380 5092 Bmpcfdmg.exe Beglgani.exe PID 5092 wrote to memory of 4380 5092 Bmpcfdmg.exe Beglgani.exe PID 5092 wrote to memory of 4380 5092 Bmpcfdmg.exe Beglgani.exe PID 4380 wrote to memory of 2392 4380 Beglgani.exe Bgehcmmm.exe PID 4380 wrote to memory of 2392 4380 Beglgani.exe Bgehcmmm.exe PID 4380 wrote to memory of 2392 4380 Beglgani.exe Bgehcmmm.exe PID 2392 wrote to memory of 4736 2392 Bgehcmmm.exe Bjddphlq.exe PID 2392 wrote to memory of 4736 2392 Bgehcmmm.exe Bjddphlq.exe PID 2392 wrote to memory of 4736 2392 Bgehcmmm.exe Bjddphlq.exe PID 4736 wrote to memory of 2828 4736 Bjddphlq.exe Banllbdn.exe PID 4736 wrote to memory of 2828 4736 Bjddphlq.exe Banllbdn.exe PID 4736 wrote to memory of 2828 4736 Bjddphlq.exe Banllbdn.exe PID 2828 wrote to memory of 8 2828 Banllbdn.exe Bclhhnca.exe PID 2828 wrote to memory of 8 2828 Banllbdn.exe Bclhhnca.exe PID 2828 wrote to memory of 8 2828 Banllbdn.exe Bclhhnca.exe PID 8 wrote to memory of 1436 8 Bclhhnca.exe Bfkedibe.exe PID 8 wrote to memory of 1436 8 Bclhhnca.exe Bfkedibe.exe PID 8 wrote to memory of 1436 8 Bclhhnca.exe Bfkedibe.exe PID 1436 wrote to memory of 4076 1436 Bfkedibe.exe Bmemac32.exe PID 1436 wrote to memory of 4076 1436 Bfkedibe.exe Bmemac32.exe PID 1436 wrote to memory of 4076 1436 Bfkedibe.exe Bmemac32.exe PID 4076 wrote to memory of 2800 4076 Bmemac32.exe Bcoenmao.exe PID 4076 wrote to memory of 2800 4076 Bmemac32.exe Bcoenmao.exe PID 4076 wrote to memory of 2800 4076 Bmemac32.exe Bcoenmao.exe PID 2800 wrote to memory of 3352 2800 Bcoenmao.exe Chjaol32.exe PID 2800 wrote to memory of 3352 2800 Bcoenmao.exe Chjaol32.exe PID 2800 wrote to memory of 3352 2800 Bcoenmao.exe Chjaol32.exe PID 3352 wrote to memory of 776 3352 Chjaol32.exe Cndikf32.exe PID 3352 wrote to memory of 776 3352 Chjaol32.exe Cndikf32.exe PID 3352 wrote to memory of 776 3352 Chjaol32.exe Cndikf32.exe PID 776 wrote to memory of 3608 776 Cndikf32.exe Cenahpha.exe PID 776 wrote to memory of 3608 776 Cndikf32.exe Cenahpha.exe PID 776 wrote to memory of 3608 776 Cndikf32.exe Cenahpha.exe PID 3608 wrote to memory of 3356 3608 Cenahpha.exe Cfpnph32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:228 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3308 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 40856⤵
- Program crash
PID:4352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4848 -ip 48481⤵PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d9a7e70253e7254cbe251bda0af1fc08
SHA1015226feea70ea5b47e77cf9934cca8021c9fb6a
SHA2567b6f2016cd007b0f435e42377ec444c0aa4ab15f09edf8aa6051b9bcf6ff64bf
SHA512cb0273ca51c520cfd0f07ebc8c6e477d018da549c24d78db95ba1cc4a21f16bcb6fa938e938a92d26531f5da6fcc8685c346e31a18affb124529ee62c487ddc0
-
Filesize
96KB
MD59eac242ddcc79565e8c0026fdc0b5d0e
SHA1bfd60b8ac366d3a640062e98fd44f68c09030482
SHA2569b371aff8b563e5037c5a25025146cef7bb2892aa95c64b8ad9029b954f65f94
SHA5125df96edab29a59a61e9a6144d0102fb1782455528ce009cc06e2401af3f0350f8f623af4bb2258c9bef170a7e685ad0dabdb8cd780f14c0f1c1ec2c71b05659a
-
Filesize
96KB
MD5ca0c53796898c1b3665f2cbafd72907c
SHA1ad27ddc080db68debbe1fa6e79a66fa5e635f809
SHA25665820ac344ab38ca97ef5d90d1a8b020a0855de8becc94a2fa6bc202f114d2bf
SHA512d98c69edf5a0f1cf0a6e81e5f0f0ad743a21be5bc5ca903c810f8a5f90f555c95f83832da570392775b4aa8720e920d76dd2e2d432a115a36dfc3b7abffe9908
-
Filesize
96KB
MD5fb1eb59695d1072705c6542f9b5a01d2
SHA1d15a7b4feec9f37159b89e86d7c0ea0e5da78baa
SHA25664c05de0e91494e95a28fad693bdf17d76005a766a42f7b4efbf254eb2d4db3d
SHA5122b16f07dc36661f46db841931fb33391397b33e6a6a5c3b5c7f6d5e380e678c8b408b738412977b5eb6018b3cda661727984714677868739120ec0ea1a861975
-
Filesize
96KB
MD54aa3808962fde5c7bf208bc29547f38a
SHA15d68116a3967c434da36fd43140ad6a36471a350
SHA25698ca02a9ffaf2a56d46b519515f17fc0df1126cd8deb0a1e05e94b28ed476e27
SHA512710b5bd5a44adb26e99ca84a17111004ede03d4a54bcda5bae044cc9e02c32ad73374040d5021e1406d5701dbd8b2e73b7438fec35981bee020f2cd3b3cb10a2
-
Filesize
96KB
MD5521e9d4b4946b77ef5a6cb3e1a8c0f86
SHA178f3bad4aa929b888bb282a729e21e4f41cf2032
SHA256c98ac751a6a00ebf9e33e235d4b98c3f53f7253291c1832088083933cbc35133
SHA512181c7304dd15044d049dcb44c6305bb1e3d04a2305030f3cfe8815f1a49c07f59b3a424def21791528f84e2a8241e299ccf6cd2e02a5d793698a1f819737d917
-
Filesize
96KB
MD5d3b9a4de53937b2e29182e5c1dbd36c2
SHA1ae08a56948a8ec92354eae8b469007f0465dce48
SHA2569762b209aa148ecb54d6a8e6bbc8756d1ce711989aae37d2557725f38e8a626a
SHA512414b78515c6b43ab2f5427cdac4a35e6142910800b390c72a8128c33d4e7a80e68d583c02c4b058b3a84756ac5b4fc5adc4507c35bee4fa742739ab544ae6314
-
Filesize
96KB
MD57f0bcde0b43686c44c717e3df73dfeb0
SHA17efe863c6d9f5ae4a25d9d666fc16a7a0a6aed63
SHA25695d1a4c4411e86b3944817d35b55922caa13618838899b54ca155cf6042e76be
SHA51218e646ed2b6cd84655771d74b0edd616333e8d196ebbaff2485acbbe954b1fe3877cbdbe633f022111c34cd16de14e3fd47ec26b5ca16e9a92e1545efd628d88
-
Filesize
96KB
MD5ef6b1118a0412d8daafbe18df34b8f7d
SHA1164edd6b44d244b362045c35c85c449b81829fd7
SHA2564d941ed9f9797cc781b1207ee2ba282ef3170116a6e5667920f4151d863469dc
SHA512af59fdeca376e3562d12627ca22fd0c978fdca4538354ef92b0169e1eaac90ff28889c3b6b6d53df39653aa75b72245caf33ac392847d407596f86b3bad5f2de
-
Filesize
96KB
MD567d7735176103b73703943abc5c89a7f
SHA124ae193e0508e45e3ab8e022f36738fbd6e27d9c
SHA25644d1a89b7a87cd7dd09b1d1b51f2d4587f64c41db3882c631dacde5e07d456b6
SHA51218bcffbbfd5cf2a1cc230de7d4150b368a1cba348f28bcbfd14e5d934e1c761876a6a018e10fbb257e487bfbe0506d1ad3414ade0fe52190134ae93c165e421f
-
Filesize
96KB
MD5aec6c65ee950a42a31280e6e162b3b06
SHA1a92665ecae5db828246f557b39217b552b4929e2
SHA2561ae63d955d58571201e13fed271a02828625d67cc7f9184c934ce36f80ba5966
SHA512803ea2279ff169a84b4b6247834f57160147f3f59f81f161133a938083bfa32e749324299ded04315c901a7a80093d3af1fe99cdd9a22c33883efd1b429bc80a
-
Filesize
96KB
MD53a04a03a02803496b612a8f31c40cacc
SHA11a8905727de50b915bd6df13554a5812050a6905
SHA2566524d70597b827a076c7f37a80fb15dd368cc46cc5f5e629d301a0cc6ee6d9ce
SHA512bacb2af4742587ed68d5952acbcb9592d6ff8750aef93ad78cc3957a8c9ea87a95e21753fb7695a66f490b2754955bbf00730359a9392a09ea8ba180c0e35197
-
Filesize
96KB
MD50dbbc82c281670926f537b884db19f58
SHA1dbabc92ed8a381809708f45e74d02ecf469752e0
SHA256fc2e7e3284f8c056bc8f63221a13d8d6edd1ed38b8b8891779fcfca79a2ec9a9
SHA51241b6da9b57ded609d039ae809ac0998b3ffbee7aec2b9e6493b8534edaa43494e9de0933892bf0e5b84207cdeb84031dae3972d3e078b19e9658f6d9aa5f22eb
-
Filesize
96KB
MD55da3f45229a214b2ca97d57e2de449de
SHA1e2780785bed4e0b0ffc6780c6237e2c4f2c00be1
SHA2566bfd16362250181ae498c4ba1c9f459c65e028c38e6676501ac0a90f90da93b6
SHA512beaaf959d44055522b538f3cfecd643490e3a4d9b404eac3daaeaecdb4179fdd1a6fc792dc3cfe75dcce095b3a09c0274ebea2bfaf4a7fff299c5d3f6a7691c9
-
Filesize
96KB
MD53bd9acb3dd9c7bfec4e43b5a0d2c5a3b
SHA104306812c68431533e9db2320361ae9d9526f98d
SHA256c6670b8bef36d2ec2f6e19ced3a111c259fb385d7c632559f6c2301880148ef2
SHA512b31c60f4df7b9a7e343384ee095d4333f849ac7660460e1495d984a890e7cc90a6ad39d9d75d90ecaaa01cf570950dbba98dcded69648594bc673f82ba18e62f
-
Filesize
96KB
MD58b1f963c30e8d67f3d18dba9d2033f0e
SHA1bf037eded307303e266c07f3d21f6a381260b5de
SHA2564e350c81fd9b6eff8e4e7fe5ea8714f1384963a00ad52e4b19dbac529311593f
SHA51272061357c883235e485df1a34c4b829a3212195cd59ad3d44be64f5cecd8dad6780024b1768394c7b662acc294a6a202a7f660bf97e1bc6f1a0bd25ce3cbeefb
-
Filesize
96KB
MD5f2eb38af03a52dfaf3ef7fd98b1dc0b4
SHA1da9243d8876215a60c787c2804d42686bfb41872
SHA2560395b6e6812b9b59d8b2c083e0da8381f8c251b8cce1bab5ad443db0f2cc7d4f
SHA512b6e7e9fc7929d1bdd4f5e18966c3dd50372c9db747c51117ba73ad83fa37331878ef0de5191f545c861d525d6077c88a2b1e16be8d9762ba37ef78534ffb6515
-
Filesize
96KB
MD54c00f467dc33180c92ee119e34caf097
SHA11f37739a3dad2dd090b1347806e90494d5ba5832
SHA256dd70b57c7b684657467ec63d4737284dc0533feb685473af72863930cb0be7f4
SHA5125b6b0bb3176c58e6467ccfc902b079b99cf5c098a1eb839859cd0b26ef669ac43d81e09db30401ba9c278c273c086e931a628769b1bde7fc9019227a22dd5027
-
Filesize
96KB
MD53ecf365d5dd5d8112339cec6c87cb713
SHA1bbad02985e8f187c961a163bb61e32c96fb730a9
SHA25606f5b34121960b136416dbc5249fd201a10187aefa004dc4ffa44c1353fbbbcb
SHA51238cd5d62ba6c290f7750b34bae7c4ad9f042c0623e95a33b7f402b15033b7c757f71ef12307a810b2937e8e13f8e7643d09497a1608c984d19bcc81bbd2198c9
-
Filesize
96KB
MD518d6fee0aa93c3b211bb46437a8d441d
SHA1f8018588caf1ab6f2e575c3038901dea13a3700f
SHA256aaa73976549efce22236cbbe3b576b8aa8c84e545964f7b177ab0f07fa142c46
SHA512a76485f56ef103d753de21bab029e84fd254ba3ae0795ef74f0fe708c90e3b149d35fe311b8b90323e93894bd7f3e40cfac13b9f0229faa9fd79a131f596ebfc
-
Filesize
96KB
MD5b3feb0055d8839f127418ebe7c0ec3b9
SHA1db5ef88603a3133796de15f80a640293b6cf38ae
SHA25607b602371c2e1495a23ddc11f65aaf6caf7a46c1193a26f18e4635b62121d5a0
SHA512ad7180cd325830ffdada88b066664cf64fd8023f8f50b0645a461d2d2d363bdf0069be45f4cb33622e19aa0f301119544463b83fbb750947760ee9caae22cb27
-
Filesize
96KB
MD58c438636f5f2b41b2e275b061b6859a1
SHA1dc719874a72aa6d38394fd47c00db3262f14788e
SHA25600479c7450576648ed09190737087d63f02bcb52b95fd7faef001e8cfd29c2f8
SHA51205ed6fe9f83b62bbc7c64ed334ff72da6a1c6f27d84ff304366caf34ba8443ba892e83b3db81b2b1b517574a759e24733aff39b0a94e8fc2ba4e07b8907b942b
-
Filesize
96KB
MD5b6d78e4d956b5044443e6cb5956e4d3b
SHA1342b5f64b08b15ae819755ea8894bce22ec75ffe
SHA2568a4908f712e87c1ad33e70f661267d63e1e13ed48d8ee12139dda88bca4d72bb
SHA5129a24f420fb51504449b24a7a376c84aeb092be9e8f602edac2a7f453f8a4bc5296002705bcee8cd7081ef2c85b0dce6c2780ed16d3d49c53eecd2c890f9f86d5
-
Filesize
96KB
MD5d20671ca6b716ccfba8aa1fd2daaeb63
SHA147063b900549d631c714058a7d1507d332531916
SHA256e0bccf329734abbb705aa6f3781adfbd2cdf6958307d98601ce9d3370fcc8050
SHA512f67570d50b5ca8d44cbdd1d1d4ddc72a7213627b9e37ef8021e8da16034c83d01b4d45e38090ecf17a70999fdcd260fd7a57d01ff1f5dc0c7a5e2c96806cfe90
-
Filesize
96KB
MD52be5557191cff7ddf9278300ab381169
SHA1f086717e8278be8b1a99dfd6303485220d18831c
SHA2562b5be965b0e25a066a67962a682d9a878b00a25b56d2b6dcab5b222353ffa078
SHA5123fd5de050d55c77b0bb36a71ceccd8a0e29fe77225668e379c1efa031cc26543deaf4839201765aa4ce8d47fc890efbf3486cd861eb6b12cee71b5403468e523
-
Filesize
96KB
MD5159afa7977c394131c0ee82778c9259a
SHA13c5b43921d2fa6a4d4c52277c15c83d30599d944
SHA2565aab28595a0ad58077c9324397ac3ff225d1a53a32bb2ea40054b0edc00a6cbf
SHA51231d20981c85e439e3f676c7e9c255842b41c91a9b80ca56afd0c52eb0c30c2fedb76e6010391746a71934fdb4af4ffe1d730b8c8883fa74b8c64fa0baf013f94
-
Filesize
96KB
MD55f49072462ed52d808fe70b00374953a
SHA184bf97090bb89173b16d816f6e4becf58137c76e
SHA256c1ec4dcc2adf89eabb409016fba85e0268153a205b4fe01bf75ad45357dd4606
SHA5128e78bf80d645253cefc7b2543a1f51dee8de43776fc14cd05f9d0c85887e5e63e4206a26a7a24e80b01b9174d067b2bd0564600795798ca112c00f3b2b58631f
-
Filesize
96KB
MD5d1734fb67cdd6b16f54b0ab1207bf383
SHA12f9c0a1276b0acb22593fc64cbb3e9f8108d25e3
SHA256f39012506b7e3f076a5bdc180665889067a030da29a4fcf7caeca1b3d3302910
SHA512979699830896395c483b73b972368c0c4e2a9b84ae5b4f769dcc159d82904180362e8cdf4ad9c4650f11906624beb11acf344f186721742f6f3c9e38b5648ccc
-
Filesize
96KB
MD58c31528d8a6380d15708e01838f7d7a5
SHA1dada853f9a5737b50bbcd9dd609cadb89e649143
SHA2563fb45896cebc0358416a3c33404b604bdaaa75556e8bc2b838f11b8aabe232ed
SHA51230263643a1c96946ccc395a047d7652dfc34f76de39f8a14d5b27e94cd80409e49df4353911bca9f65045a9c5b7f508fed53b895c25917ff1abeac7ff918502f
-
Filesize
96KB
MD553cadcd42948b9cfeb46164d736a6fc7
SHA1b8f32e6de98369bddd008639422cc70d54d9bcf3
SHA256d1da324a800fa132f79610de839c25d5a7b6e55bc66e740a325edcf05c63ad83
SHA512a3fea619c4b28a6f1f371fd1f4af450eb99b479edace5d0b00b23ec92a3f0144ca0949f01700dadb9c1f77f50c371b17acda5ab659edf22c8ffaf6219bfee588
-
Filesize
96KB
MD5097b93d6d396e6391f3d389e7677889e
SHA13b3943b55bee46f725b8052969f67e9a7a7da48e
SHA2567406a0203c1bf54d88fbccd6fefb022c85414173bee2d3b2457df33c238e2f33
SHA51233d6b896d93a22228e414ec981532187dc2d8fddb7ef21f77e5040401d34b8a587b925886ea4d64bcb3b17dc8184f547e5d89b8fe158a2dac0220d292ff61031
-
Filesize
96KB
MD5f40ca3f553adff0375d85732f1e73948
SHA1c4057e42a6d8a37de57341bdd734de24fe5bc987
SHA256f7b97c5667ad18f3ce1bd51cfcd15cfdd1929d19296fb9165c6f7e3a7d4aa87d
SHA512477338936b6659d4d957f0bd14b61014218b883299487eb1689a53019643af3a83d3397ca484e525f05734d719e0bad0573d3a75e971f0836bbdb99336fa5a82
-
Filesize
96KB
MD516a6537d5af05126780596d048572d05
SHA184f757cbf1dc9d2033095d0d017f6bc02d69981c
SHA2563b5730bc60a9cac39ff8aeec511ed0acd4c7b0c8e4472a3bcf07a63f319b648e
SHA512f9a76521f24bd192c71fa17a93d8adb1e9212eefc8c52b24f24af238cd7a9487533fefad63c1181ba6fa59c51766dccfb1c490f3ade6273685eca2ae8ced0488
-
Filesize
96KB
MD5464a88cdd99c8c5b9090daffee0c0a74
SHA10e7dd95877b718f484d5bb40941eebb6c3eabc7b
SHA256ac9d192ae191a295a051399f6141ecd2a90af4716d2f44f99e1df1ea9523453c
SHA5129287cb3085368f3a22b96cc000b9217960b24a755a79d19a2589c5ac2402353a56d31f27ccdbff4a5755489ac8df3e37faf3582ce7019951e9a143d3bae23888
-
Filesize
7KB
MD5ec91f06b4d590882573031b752c92cbe
SHA18ebe73a38950f267113164cee75cf0062a13046c
SHA2565834c142272f491f836612ac77a67c633a0c59234e512996bbb63312e24297db
SHA51231f8ca358ec4d6668ca75d4fc9fea7f2e6e48c671890317493fbf16e63614e724da519c5a96dc1c7a1fb1ecb3f0ebc3804ed26d25c0604d89685856397469067