Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe
Resource
win10v2004-20241007-en
General
-
Target
f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe
-
Size
79KB
-
MD5
b64171ce263422c51e1427615db70670
-
SHA1
6ddba0911a4c0a31a1f8b2f9605f4ce918d6fc96
-
SHA256
f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40
-
SHA512
ef6bb142f487e9b5b132d698a3f607da49c5bd444888d37d7e2b82ceb33d35990edf93dde3d642aea417b34d7dcac2f206341dd810d8ff911a56a46808beb020
-
SSDEEP
1536:o69pD+IAi7yPXchbEAQbZWqfkCsT6ZrI1jHJZrR:ouaNXc29fkCsT6u1jHJ9R
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhocqigp.exe -
Berbew family
-
Executes dropped EXE 21 IoCs
pid Process 4184 Cfdhkhjj.exe 3740 Cnkplejl.exe 4004 Cajlhqjp.exe 2404 Ceehho32.exe 4224 Chcddk32.exe 4468 Cmqmma32.exe 388 Ddjejl32.exe 4948 Dfiafg32.exe 2308 Dmcibama.exe 1860 Dejacond.exe 4108 Dfknkg32.exe 636 Dmefhako.exe 1800 Delnin32.exe 5016 Dkifae32.exe 4808 Dmgbnq32.exe 4296 Deokon32.exe 2592 Dhmgki32.exe 4836 Dkkcge32.exe 2896 Daekdooc.exe 1104 Dhocqigp.exe 3940 Dmllipeg.exe -
Drops file in System32 directory 63 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gmcfdb32.dll Dmefhako.exe File created C:\Windows\SysWOW64\Pdheac32.dll Delnin32.exe File created C:\Windows\SysWOW64\Elkadb32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Dejacond.exe File created C:\Windows\SysWOW64\Gidbim32.dll Dfknkg32.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Cnkplejl.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Chcddk32.exe File created C:\Windows\SysWOW64\Dkifae32.exe Delnin32.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dkkcge32.exe File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe Cnkplejl.exe File created C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File created C:\Windows\SysWOW64\Deokon32.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Amfoeb32.dll Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe File created C:\Windows\SysWOW64\Kmfjodai.dll Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Deokon32.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Cfdhkhjj.exe File created C:\Windows\SysWOW64\Bilonkon.dll Ceehho32.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Kkmjgool.dll Ddjejl32.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Dmcibama.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File created C:\Windows\SysWOW64\Jcbdhp32.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Clghpklj.dll Cnkplejl.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Chcddk32.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Dkkcge32.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Ghilmi32.dll f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Dejacond.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Deokon32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Dfiafg32.exe Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Delnin32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cajlhqjp.exe File created C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Chcddk32.exe File created C:\Windows\SysWOW64\Dmcibama.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Dmefhako.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dkifae32.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2960 3940 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Dfknkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkcge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dkifae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcibama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfknkg32.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4844 wrote to memory of 4184 4844 f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe 83 PID 4844 wrote to memory of 4184 4844 f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe 83 PID 4844 wrote to memory of 4184 4844 f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe 83 PID 4184 wrote to memory of 3740 4184 Cfdhkhjj.exe 84 PID 4184 wrote to memory of 3740 4184 Cfdhkhjj.exe 84 PID 4184 wrote to memory of 3740 4184 Cfdhkhjj.exe 84 PID 3740 wrote to memory of 4004 3740 Cnkplejl.exe 85 PID 3740 wrote to memory of 4004 3740 Cnkplejl.exe 85 PID 3740 wrote to memory of 4004 3740 Cnkplejl.exe 85 PID 4004 wrote to memory of 2404 4004 Cajlhqjp.exe 87 PID 4004 wrote to memory of 2404 4004 Cajlhqjp.exe 87 PID 4004 wrote to memory of 2404 4004 Cajlhqjp.exe 87 PID 2404 wrote to memory of 4224 2404 Ceehho32.exe 88 PID 2404 wrote to memory of 4224 2404 Ceehho32.exe 88 PID 2404 wrote to memory of 4224 2404 Ceehho32.exe 88 PID 4224 wrote to memory of 4468 4224 Chcddk32.exe 89 PID 4224 wrote to memory of 4468 4224 Chcddk32.exe 89 PID 4224 wrote to memory of 4468 4224 Chcddk32.exe 89 PID 4468 wrote to memory of 388 4468 Cmqmma32.exe 90 PID 4468 wrote to memory of 388 4468 Cmqmma32.exe 90 PID 4468 wrote to memory of 388 4468 Cmqmma32.exe 90 PID 388 wrote to memory of 4948 388 Ddjejl32.exe 92 PID 388 wrote to memory of 4948 388 Ddjejl32.exe 92 PID 388 wrote to memory of 4948 388 Ddjejl32.exe 92 PID 4948 wrote to memory of 2308 4948 Dfiafg32.exe 93 PID 4948 wrote to memory of 2308 4948 Dfiafg32.exe 93 PID 4948 wrote to memory of 2308 4948 Dfiafg32.exe 93 PID 2308 wrote to memory of 1860 2308 Dmcibama.exe 94 PID 2308 wrote to memory of 1860 2308 Dmcibama.exe 94 PID 2308 wrote to memory of 1860 2308 Dmcibama.exe 94 PID 1860 wrote to memory of 4108 1860 Dejacond.exe 95 PID 1860 wrote to memory of 4108 1860 Dejacond.exe 95 PID 1860 wrote to memory of 4108 1860 Dejacond.exe 95 PID 4108 wrote to memory of 636 4108 Dfknkg32.exe 96 PID 4108 wrote to memory of 636 4108 Dfknkg32.exe 96 PID 4108 wrote to memory of 636 4108 Dfknkg32.exe 96 PID 636 wrote to memory of 1800 636 Dmefhako.exe 97 PID 636 wrote to memory of 1800 636 Dmefhako.exe 97 PID 636 wrote to memory of 1800 636 Dmefhako.exe 97 PID 1800 wrote to memory of 5016 1800 Delnin32.exe 98 PID 1800 wrote to memory of 5016 1800 Delnin32.exe 98 PID 1800 wrote to memory of 5016 1800 Delnin32.exe 98 PID 5016 wrote to memory of 4808 5016 Dkifae32.exe 99 PID 5016 wrote to memory of 4808 5016 Dkifae32.exe 99 PID 5016 wrote to memory of 4808 5016 Dkifae32.exe 99 PID 4808 wrote to memory of 4296 4808 Dmgbnq32.exe 100 PID 4808 wrote to memory of 4296 4808 Dmgbnq32.exe 100 PID 4808 wrote to memory of 4296 4808 Dmgbnq32.exe 100 PID 4296 wrote to memory of 2592 4296 Deokon32.exe 101 PID 4296 wrote to memory of 2592 4296 Deokon32.exe 101 PID 4296 wrote to memory of 2592 4296 Deokon32.exe 101 PID 2592 wrote to memory of 4836 2592 Dhmgki32.exe 103 PID 2592 wrote to memory of 4836 2592 Dhmgki32.exe 103 PID 2592 wrote to memory of 4836 2592 Dhmgki32.exe 103 PID 4836 wrote to memory of 2896 4836 Dkkcge32.exe 104 PID 4836 wrote to memory of 2896 4836 Dkkcge32.exe 104 PID 4836 wrote to memory of 2896 4836 Dkkcge32.exe 104 PID 2896 wrote to memory of 1104 2896 Daekdooc.exe 105 PID 2896 wrote to memory of 1104 2896 Daekdooc.exe 105 PID 2896 wrote to memory of 1104 2896 Daekdooc.exe 105 PID 1104 wrote to memory of 3940 1104 Dhocqigp.exe 106 PID 1104 wrote to memory of 3940 1104 Dhocqigp.exe 106 PID 1104 wrote to memory of 3940 1104 Dhocqigp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe"C:\Users\Admin\AppData\Local\Temp\f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 39623⤵
- Program crash
PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3940 -ip 39401⤵PID:3280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD544f1615a26e8b4a320fa6697b4f786dc
SHA16dafcc42188d439f3fcc5202dd622fc84348427f
SHA256fc70376969f33ddc28b67f86dc0edd3e680c5d9b05c01727d5b387e0af2c5a54
SHA512884193dfdc783b5f334e184d49cad5231a34cc51cd43b49bc5ffb0669391ded040dc2a1d4dc639d6a5e1b4f50a7c68c918e97771d8a50de0a2c52b2a84f7b166
-
Filesize
79KB
MD5aeb9e3137e26d2dae3490239b84ab5d9
SHA177f547335f253def74173fb0e6db7cb9a4c5aa12
SHA256eb1095c829d4227c58b84bbfd58678250ff1405dc28eb941ba1798b18354ded4
SHA512db55b5aa2f49f2e35f19a7dee2800994f08c419c35866b071b096b7ce878bd96130e3d8584d4037d920354c473270b3aca10b9366b982041fcb32f84195d5ebc
-
Filesize
79KB
MD5f1afeebbd4a090e2280dec69a67a14fd
SHA12e790265aaff6876402aad08c5aac5a3becb7af0
SHA256b09879766d5e06fbccb93ccb07385c3ef888d3bac81737073bea4a2ddbecc96d
SHA512a1572afa7df536950865d409a4bbba49402b65a7d2fdc9a2216153195efacc8ebce5130e2c54306e57d34892056aee60c6da51ebdef4b2438913f6fdc5a30146
-
Filesize
79KB
MD5f51d05790387a743081e3e0acbc28d8f
SHA1c49e078283e870478b8924362034d1295e9baeb8
SHA2568d73aba77b0cc2a9b4e21163806a4e9814a34ea1b8ff3c66459dea5836bb5147
SHA512985e626c8ec7f2153e56c25a5eac1939db32613cde57f04776706cc3d46bc1e133b1d428ea1912e23dadbce7aa90376e921e7b62b45949d073e5d12e1430afa8
-
Filesize
79KB
MD5910012e3a5a9ca107487ae377e0e1b91
SHA164ebe8cb2f8a744995e374afc94311b03f44ecd4
SHA256ad5be38756c7fc607ace7df536cce13ac8e9dfdbcbbd5e1a378812cd4fba594f
SHA51216e29745c8a382677feb238693b8a3a0f9ce4bf586fb5542050acba073bbda7f07b8da469b54ac78ca076a71e13449cf91af3c985fb62cf79757908105f5fd5e
-
Filesize
79KB
MD5df6a2c481688b1adc38503fc73d2be7f
SHA1f9116af1e8deb6430a7741b3abbf9615bd10e8d4
SHA256e462345d897812e0725d6e002d50e897a623fe0850363096ad5de1d306c42888
SHA512feef8668516643e4ec1d72a4f8b7afdebcf8a9a72b54b66eeec48b40a94bab0db80d5180ceb568938a25daba84a4a98f4a41a61fc05bb45ff540f8067b0a8e9b
-
Filesize
79KB
MD5119b83e7f48a0d4f3a6513c0e2a0d4a2
SHA1dc929f35d3f872ccc7abc9615160ac0cdc5c6d08
SHA256c0ee5179ca59f817142aed03f9fcaef00615e71fe8072d3a79c173ebf3a2837c
SHA512817df930c493c4f6a670a6b829ad436b2844b1c50c0209ff10d01cd1c3b2f74d1a7354fa23b24c00f41a13bdf53bb0c1de5ca84ed11ba4bbd72c092cc505caf3
-
Filesize
79KB
MD50e69f2e6a60de19695748f71b9313b46
SHA194007b1a00c05ef439ff838eb62599ca993ea823
SHA256769665b9476517dfe794f02cd4a1491cda8ea82e8d884d54350ea801ad51c0ae
SHA5127b041212a8b26d21780e6f666c6f6e67780417bf07ac0d3e3b2ac44a316a0c23bd9044f88369c2453eef811a7f3d2a720cc66638efdc41104f798767bcf2bbae
-
Filesize
79KB
MD5ac8a4cb55e458573ff885ee870a097d2
SHA17c118c36cc9fe0ddab8520b5509559903ee158c6
SHA256e046f8782542a9b0503658bf89414e5dba0be8d944418c0aae3c505184f78d74
SHA5126fb48e04d8c1a9ab651392b902e90458f739992e009d1e5c473c3b4d2c29bf9dc8ca2aa4293f8ac9e5ada8fda31f9249da340a012e4b6b456d1c922863eeccdb
-
Filesize
79KB
MD5ed9ef5bc93c8808c7e831f8808a56a2d
SHA1c0df00e68c16df0f2d968afd8e3ca4e35d3eb051
SHA256d962c991d251297dd7864d79eeb0db4d0a318a6e9ab03a942535f898462e51df
SHA512cb56583d7581e5dec4403efda4cf24618ea12c7d070c63c09418400067d970b5921a62e52059299f5276d488c1aa6c991aec69012762cfef8265700d4f6f86fa
-
Filesize
79KB
MD5d795521a752d54e88f982191e4b3cfc7
SHA1f14c94bfb11f642606db95dd0d93c90bd336db7e
SHA256dbeb71e729f0e398bc910fe49718ddaab689b34f87feaa1af02dd128e10e8111
SHA5126ca9c4705e545b1f37f8f02886d8f059ab1fb0bd2e7a5dd7af970e60ed4de7fb947746b07b6d5073deb442d206fefffa75906b929ee95607c7f017b18c385c7c
-
Filesize
79KB
MD5970192c164ffd5a40b9a9ca385771dfb
SHA19a58f435d1ad815755b48aeec48b5078af9683ed
SHA2561b6f34ab46520347aec5a2a84900f1e4316b544342be98adbd1a969e7b58a51f
SHA5126f889e4110d151679ce8967f671f6a062350a88e1060c15750e5ca8acf2a4a1938de9fedbb2e155c19bc04ac8b7a4b0bf47df84d1cecb6e0317bdff33a87c8c4
-
Filesize
79KB
MD53a286b6be5d8ebe5c598d5bd1ba4abd0
SHA182065c559e7ecd8b1e8122f8a3bcf7e9f01440aa
SHA256b519cf0aee9be04607f9415242ff098ad717c85f04418fb99c0c3f30282a503d
SHA5124d8ef1767b0b84c2d8edd802fcbf72fd82e69db365ad9d71a547d69403292670a65ce0b895980c8b80587cc8ca905e61666f8195a2ef0960fc4762aac17e1fcb
-
Filesize
79KB
MD53e15279f9f3a45c9ac9ab720c7abf4af
SHA11ecddaf04192baba63defa572ea1870514957755
SHA2568b9d9bd41ec66001b118318fd27f237be9177d65702293ecf9cb0f2885875f39
SHA512ec47fc6927cef4d73fffd9f9e4cd8aaebfc0c4d4d240b54573f9478504dd003e0ece62c0c48fcce9af6d82fe414b1812de4e27dcb840989953b334ad24c10b43
-
Filesize
79KB
MD5959455ec9f3715339248e3921bd91909
SHA173c8d0d99a761e672f0788524e2a21ce3cc06a0f
SHA256422857dd2dd18c61c8c9067008b6e3bbd5c3e9f1c9fb3f59aee8cccd4ec4af92
SHA512ec71318a2a08434c623928d9863f6f032d3556c2cfbbfbc5daee0db24c35951f0559165baa711cbdbc370cfcbeba10df820790d5c9bae23dbe8b4964431c8528
-
Filesize
79KB
MD58f7820545b6e68324a1d06d430b0311c
SHA11cd0c3da3d6d507af7fae0d374b32e9f7e8637b0
SHA25683f50ea748ea258ca82a296a28cd9f6c282bb4e7da815ba04058f2f150a13b0f
SHA5129a554887e8221603c5b423868503847574f7dd1650f447ad822d6969a04e3cbf562517758ec179578e959ec8d6baf9a07dd5da905d6e82e37bdd5687e24902c9
-
Filesize
79KB
MD526cc565ab395624794c773aaca4adb5f
SHA18bc4e5c7bd3307b4663cca311caaf4326c93d7ab
SHA256372ab1dff86aacad2f549302d0f16a6e21bd9f9137c626727bd1f8c401747f4a
SHA512d476e5c0f5a149397bc100b427d4012ed71cd889709440b26ee254a73d4696b3dcfd933ad825a70b666271ddd5b4f8a4051333d9b2a4c3b0c05919fadf6c5d2d
-
Filesize
79KB
MD50b16e6e81d637ad0c1485a12facb0aef
SHA10a8e6bcd081c2650de6c960b9bd20f99662ca99d
SHA256c03080306431d3ceda602dfda31eb330d49b8084314df01be758d5fff332ca93
SHA512606f30cad44908667f1f0856006f10ff5fea9d768102d8aacb8f4b9a4669734d4616e9fa25c326e3bed7318fc569fb8b8d04734064e3847d2474cd2dc270cff6
-
Filesize
79KB
MD591aef822f03452775de5921c00a0fca0
SHA1d22403431aee72620268bd8eaa0a5bd03f2deaa8
SHA2563980404147a92532f8ccb1c76512d90373a6731ba9090eebb0567c2d16746c49
SHA512dbd424ec9b9e3bfa4b4aba24517243fcca2ccce4c020e71d55a7575438603c6d1c5aa4ed53c1b1d2fdf99d610d9b5bf09c791321f5162c7e06fc06806fc14df5
-
Filesize
79KB
MD5b87f35f491cb780069cd26e2c7b4fe18
SHA188e7e6987a9ac6c4a7561663acec60e6d9cd1d5c
SHA25637505d4c05c464c90900f8623a4e7b8ca2ea5d9ecbc9a75601078c3ace4c1f9c
SHA512de49e5e10ebcc244ed78d745fa9008e0a6dc46d034a4976cc63e17b179e7d9630dec0d3a573af6d0010fee82052a41a9850a72474be068051f7466c722c6c554
-
Filesize
79KB
MD57bc67fdaa2778f116d1fe3713e82af4b
SHA1c943bf2ec64fa002f940a3d2c89326ad3aa0956f
SHA2561cfc5bfe2cd028ad415ecbfad0c3e75fd0e6e7545a0594589f4b79eec389f9b3
SHA512c75899c55599fa8ed3e5726b5ed92de2b1049fdf7e442578a82688f5af673438eed5628de26e5d319ac5bf0e2dde81e5d0a533cea12c3ef37f196c7230f7de48