Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe
Resource
win10v2004-20241007-en
General
-
Target
10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe
-
Size
74KB
-
MD5
dc1e5256b8e45d3d63bdc19a00da1080
-
SHA1
1b4b17b1428e5f398bbcdcd6371cb58981171bb7
-
SHA256
10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8
-
SHA512
66789943edf44d87ab4391295b0d26f39849d675f1716371a6005ad10b14e418fa07a4efbe4f188abe7d79b57cc4da20993a8d48dee7b423bbad0d29533204f7
-
SSDEEP
1536:PWbSTQ4TojRJSnx0E1RRNk7CbyHerWWXi2MxfvVERJ8mPn2:oSVwgndiCbYWXi2MxfGv
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfiafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjkjpgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe -
Berbew family
-
Executes dropped EXE 27 IoCs
pid Process 2360 Cdabcm32.exe 2228 Cjkjpgfi.exe 1264 Cmiflbel.exe 2324 Caebma32.exe 468 Cdcoim32.exe 3452 Cnicfe32.exe 516 Ceckcp32.exe 112 Cfdhkhjj.exe 3304 Cjpckf32.exe 2156 Ceehho32.exe 1624 Chcddk32.exe 4144 Cjbpaf32.exe 1936 Cegdnopg.exe 4676 Dfiafg32.exe 4048 Danecp32.exe 3184 Dhhnpjmh.exe 4972 Djgjlelk.exe 2880 Dmefhako.exe 1328 Ddonekbl.exe 4072 Dkifae32.exe 5000 Ddakjkqi.exe 2948 Dfpgffpm.exe 2688 Dmjocp32.exe 3608 Dddhpjof.exe 1896 Dgbdlf32.exe 1516 Doilmc32.exe 4724 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ceehho32.exe Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cjkjpgfi.exe File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Diphbb32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Ghilmi32.dll Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Doilmc32.exe File created C:\Windows\SysWOW64\Omocan32.dll Cdabcm32.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Dkifae32.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe Caebma32.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Chcddk32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Cdabcm32.exe 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Bilonkon.dll Ceehho32.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Bhicommo.dll 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe File created C:\Windows\SysWOW64\Cjkjpgfi.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Cacamdcd.dll Cfdhkhjj.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Danecp32.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Dkifae32.exe File created C:\Windows\SysWOW64\Cjpckf32.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Dhhnpjmh.exe Danecp32.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Dfiafg32.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Danecp32.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Dkifae32.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Caebma32.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cdcoim32.exe File created C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Doilmc32.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cnicfe32.exe File created C:\Windows\SysWOW64\Pdheac32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Chcddk32.exe File created C:\Windows\SysWOW64\Kkmjgool.dll Cegdnopg.exe File created C:\Windows\SysWOW64\Beeppfin.dll Dhhnpjmh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2936 4724 WerFault.exe 112 -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caebma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Doilmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doilmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chcddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegdnopg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1592 wrote to memory of 2360 1592 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe 83 PID 1592 wrote to memory of 2360 1592 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe 83 PID 1592 wrote to memory of 2360 1592 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe 83 PID 2360 wrote to memory of 2228 2360 Cdabcm32.exe 84 PID 2360 wrote to memory of 2228 2360 Cdabcm32.exe 84 PID 2360 wrote to memory of 2228 2360 Cdabcm32.exe 84 PID 2228 wrote to memory of 1264 2228 Cjkjpgfi.exe 85 PID 2228 wrote to memory of 1264 2228 Cjkjpgfi.exe 85 PID 2228 wrote to memory of 1264 2228 Cjkjpgfi.exe 85 PID 1264 wrote to memory of 2324 1264 Cmiflbel.exe 86 PID 1264 wrote to memory of 2324 1264 Cmiflbel.exe 86 PID 1264 wrote to memory of 2324 1264 Cmiflbel.exe 86 PID 2324 wrote to memory of 468 2324 Caebma32.exe 87 PID 2324 wrote to memory of 468 2324 Caebma32.exe 87 PID 2324 wrote to memory of 468 2324 Caebma32.exe 87 PID 468 wrote to memory of 3452 468 Cdcoim32.exe 88 PID 468 wrote to memory of 3452 468 Cdcoim32.exe 88 PID 468 wrote to memory of 3452 468 Cdcoim32.exe 88 PID 3452 wrote to memory of 516 3452 Cnicfe32.exe 89 PID 3452 wrote to memory of 516 3452 Cnicfe32.exe 89 PID 3452 wrote to memory of 516 3452 Cnicfe32.exe 89 PID 516 wrote to memory of 112 516 Ceckcp32.exe 90 PID 516 wrote to memory of 112 516 Ceckcp32.exe 90 PID 516 wrote to memory of 112 516 Ceckcp32.exe 90 PID 112 wrote to memory of 3304 112 Cfdhkhjj.exe 91 PID 112 wrote to memory of 3304 112 Cfdhkhjj.exe 91 PID 112 wrote to memory of 3304 112 Cfdhkhjj.exe 91 PID 3304 wrote to memory of 2156 3304 Cjpckf32.exe 92 PID 3304 wrote to memory of 2156 3304 Cjpckf32.exe 92 PID 3304 wrote to memory of 2156 3304 Cjpckf32.exe 92 PID 2156 wrote to memory of 1624 2156 Ceehho32.exe 93 PID 2156 wrote to memory of 1624 2156 Ceehho32.exe 93 PID 2156 wrote to memory of 1624 2156 Ceehho32.exe 93 PID 1624 wrote to memory of 4144 1624 Chcddk32.exe 94 PID 1624 wrote to memory of 4144 1624 Chcddk32.exe 94 PID 1624 wrote to memory of 4144 1624 Chcddk32.exe 94 PID 4144 wrote to memory of 1936 4144 Cjbpaf32.exe 96 PID 4144 wrote to memory of 1936 4144 Cjbpaf32.exe 96 PID 4144 wrote to memory of 1936 4144 Cjbpaf32.exe 96 PID 1936 wrote to memory of 4676 1936 Cegdnopg.exe 97 PID 1936 wrote to memory of 4676 1936 Cegdnopg.exe 97 PID 1936 wrote to memory of 4676 1936 Cegdnopg.exe 97 PID 4676 wrote to memory of 4048 4676 Dfiafg32.exe 98 PID 4676 wrote to memory of 4048 4676 Dfiafg32.exe 98 PID 4676 wrote to memory of 4048 4676 Dfiafg32.exe 98 PID 4048 wrote to memory of 3184 4048 Danecp32.exe 99 PID 4048 wrote to memory of 3184 4048 Danecp32.exe 99 PID 4048 wrote to memory of 3184 4048 Danecp32.exe 99 PID 3184 wrote to memory of 4972 3184 Dhhnpjmh.exe 100 PID 3184 wrote to memory of 4972 3184 Dhhnpjmh.exe 100 PID 3184 wrote to memory of 4972 3184 Dhhnpjmh.exe 100 PID 4972 wrote to memory of 2880 4972 Djgjlelk.exe 101 PID 4972 wrote to memory of 2880 4972 Djgjlelk.exe 101 PID 4972 wrote to memory of 2880 4972 Djgjlelk.exe 101 PID 2880 wrote to memory of 1328 2880 Dmefhako.exe 102 PID 2880 wrote to memory of 1328 2880 Dmefhako.exe 102 PID 2880 wrote to memory of 1328 2880 Dmefhako.exe 102 PID 1328 wrote to memory of 4072 1328 Ddonekbl.exe 103 PID 1328 wrote to memory of 4072 1328 Ddonekbl.exe 103 PID 1328 wrote to memory of 4072 1328 Ddonekbl.exe 103 PID 4072 wrote to memory of 5000 4072 Dkifae32.exe 105 PID 4072 wrote to memory of 5000 4072 Dkifae32.exe 105 PID 4072 wrote to memory of 5000 4072 Dkifae32.exe 105 PID 5000 wrote to memory of 2948 5000 Ddakjkqi.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 41629⤵
- Program crash
PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4724 -ip 47241⤵PID:916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD554793eb9b3aecb0d9364daccd96180dd
SHA153de0f0e1b7a6dc550633ae34e185d667dbf1965
SHA256019aaaf376cadb55afaf180db8a21e94e198be41878c3afab557f48a3d27362a
SHA512e0da704f4f8f0e234f728fb5be4a5e6adbcdb10103047ac96c73257d098dc920a03343fc9a2a72cdd291c3eed92a2ff2a55613ddf05cc3ec86e82f6c7c2f6eab
-
Filesize
74KB
MD5826fd67a279289d0da56ad765d96a716
SHA112e5b51de28f1509d88ad439c25e572770062f7e
SHA2561a9b68b0ad9924f0e0f3beadb795148813af0cdbd150058ec84faf8bf13f2066
SHA512f449bc349aaf846c5c88b2120b413eb1b743b036266e567f16b426666c772d5026b5877f3c4a2d75a6314a0dd8e26857a0099009c89b0ee123f10e1e6bd330db
-
Filesize
74KB
MD56c20ffce8a97421b80761c983feca3c6
SHA1f5b3c61f7feba9d9e9cf5a44a930606a444b2e82
SHA25605fc99a560289d407b95375852225de0bdd4a00af04f62f57b80d88729233a95
SHA51224042a0c8aac669c0821103efed40bdda12d5a838574fd41925069b9abc30b2210b636e31ee484da937da3b1a3eee4577bc13ab7401ea1a8cad5250440735c78
-
Filesize
74KB
MD5b137e5cfe18aaa66555f6f6886b8fe8b
SHA13642d9ab2705ce347f878774da2c405f8a5fad14
SHA2569e73affcaa603ce37cd61b8cbbe2941490c0dbfff241566f3815937a13414823
SHA51243de038606b691e89aa994ad1eece499318daea225a576a2ab96180a9ac06a8da8f55971bec5976345394890c47e0376f9dafce9a9f74d0dbab8a6c1f63a6e7d
-
Filesize
74KB
MD5ced9fb3968fa365643f4e2c52c38f135
SHA1ea07c2ece3e4234d771e4719c3a477b60bef67a2
SHA2561229ec4bbd9eb57f0c1e5fb01f209fe2cef63853091e6ead3171c4fcc8255366
SHA5128108d6322ff0ead2a3c5d24f8c3cb366db10369038fe84c59dbecae73a71961214e6cf288d1f0de05507ea50aa99535c9fb8fd0f8222190eed1a0b9fc801f1ba
-
Filesize
74KB
MD516d029e1e8d37a7263a3314b5055ecb3
SHA13be0331aab664fdfd7769f84a2be2c3bc8d5ac3d
SHA256ce5c2c4963aeab9056945327f9b9882fb03396a819c0ad9c4177ea2e4204c387
SHA5127b30750b50abc83f9cb60851daaaa80a75b23abc314737d028a8a0ac9ca2f69a0db925289fd6edc80ccd13f8abf5e89ea08fcfd8b1c8f08a1bc7dd72c44ab60f
-
Filesize
74KB
MD5f0837c01809c6ea5d9d9e97b61fa3d1e
SHA1efd32af9119bc83fa8f1607ead8ece82d17d8be1
SHA256a9cfb8a7fcc5c6a52f8c861a41857fac24c46346c46787adc62ca1d1f0953a29
SHA5120f0a12b43840fa9428fc7cbc0fbe6c69fad9e21e090e64c917795efcb3c78d0b7d468d77d93b2f38f85baf25ed7fe020cf2bfd6098eeb9113a0e3ba57279ce36
-
Filesize
74KB
MD58aee369243639760a3a42138da5db937
SHA1379b4e9bbde4c90e8b2f3116b5de739dcdc9a1d4
SHA256efa2db6296ff1260ffe62633e9063c0b03022f553cbd29b94ee23dda2fba10fa
SHA5122efee00fe6042f7aeef98d4e757f93d172ec6198aa76492727f8203e09e78d4644daec85f9730574a75a8ac0ba520f97e60674e68bfca1896e59d84ced7f245a
-
Filesize
74KB
MD53089d791cca18cd60afb73052c900a49
SHA18b763cf194ef8dbbd8edc9053226123847d251f2
SHA256e87c7c3fba6cab76fb34cbad7814b522fc2b30bbb2f7d30a4ccb6633344c1afc
SHA512d690a6ab1e6c3c1c4fefac967486402bfae9cd0272bf09a53125fd8bad648a8f7931c8ce230f632dba827ac27a44fc9cc0b39587ca8578ca8b12e30b82656ac0
-
Filesize
74KB
MD584096d780dbd84cca88070982438d21a
SHA1f2c8f1fa7de632ad341d812f254d7b30290377b1
SHA256c28723efb0170e8d3cbc41350fe36cdcf2f9a875ebe6c542612ad85a0063fdc2
SHA5120c4a1b9f867a155a46bf8d14f23630a35dbb49a20ba3ba2b824a8b0d1e8296cc4e6fc77a7a66a1b443174694d72009806267da2c4334797b96fe81f1f774c9a5
-
Filesize
74KB
MD5be1bd9dce8124cc47923b53da5b7f644
SHA15a62c5e05870030b958c52c1a6e53c5b527acdfc
SHA25631e6c438844468a1f2cb98063a03a909c9e15c30ba85f4bc2157322da35b4742
SHA5126a4e8b293964ef4c39695255b4756db47e49cd70d8ea44ddf6b56f2fe7eab33c8cea965d73b7999b843fbef29722d9191e614cdbdc3240263dd73d9a7ba7e848
-
Filesize
74KB
MD501ece0d9d8ea3eb1fda53b3982b944cb
SHA1add1d9fee308262b1320498bcd13c17945133ecd
SHA25617f27fc473a69066e933054d08886c745d663d62887840a0b6648e22b5f68d1b
SHA512bcd4fc4eb4274f7d901aab0804ab1e18f56f82a769c963626a3bcff288a9e59590aa5370dd5f8cf2c9bd7b9fd086254433bb5d3c71934810824bd2b86861fe61
-
Filesize
74KB
MD5eb2fdbea88cb0fd16c831fab467f5601
SHA1fa91547114748712f96a5329982f906e50991518
SHA256a683c21228b99a2d5d6a4047bc38a0d50dafc58cd0eb39ae9fd3bef757485f6d
SHA5129da4577247488365f25a85ab2b25282248f8d051a6fc62783099da5084653ce8242b08c43b2ba97b28f79ad30b74bf03a0e15d25b617b263faf1289dcf769fe4
-
Filesize
74KB
MD50b4d631734276d07b5e86f534b65a9a1
SHA1e4405fc62432715ac2bfc95f4accd610caf958c3
SHA256261ce64f7db1f33826eacd6f1eb043d01ab201db3a7792f6bfc7117bb0f6a94a
SHA5120e4c86a99533983d2ee64f4f38a5e9da176db907d9176982de99f8de09e1b1f01ccce2f02f7ba5968e7eff1d0b77616e3c09c233c17c29a413fecfe9b76c269b
-
Filesize
74KB
MD5a753b2e597323f95bfa083db96d7abbc
SHA113cf2599b88686a66d49471a1787e0a00b4c4c95
SHA256bdc53f1d8101617f837967c5717853b95746cbbf338c9313e3f19b3b7c70fc63
SHA5124ebc48dc91d9d3fb5a8fac4c5eba899da75bda977eb4036c3b75953f8175c54c1dc8d14a594a0231bd15571ffeee0ea25450ca3adf3aa3ecd3367e2c11542f4f
-
Filesize
74KB
MD552972750a6f7f8cadabd2a3604fded7d
SHA153691d6b0c4e85b66985789f4116d1417ffb50f6
SHA256d448c78488dea27c85a99f5606ad5bf5027859e301cfa97a5e7f29b83ad2e0e9
SHA5125ff06555d32e9ab77d5d9e32f78c5f7e520433ad4f25ba31f216a0107e596fa169e05f1a96237fd1cd813d2c704c4f80c09cdcf3e68112fc3b763f55a688d5dd
-
Filesize
74KB
MD569d5842c54c3fcfee59b424ac1da7a21
SHA1482bd0918984b87e92b732dabd453714f1b49a20
SHA2567399d348db2c86c573800148394149281067fc81edf2cd23a590f295a0d0b652
SHA512fe1e714c829048a4f02124ae2aea1aebd59c697b5d8cd3c90fa1e009f6cbf47876d9c064f4d9aad46dc7aedf6d2d6213fdabbca83238fa2effe320809fc696a8
-
Filesize
74KB
MD54da75e874a3cebdddfc11e7d9de02760
SHA1a8bd0af35becff4f497c35db50bd74a27d3a30e2
SHA2560e425d45118801755478fe29174d1ddf3806be48868042e687e0ce16bef697f4
SHA512894780873099faf01d85c9a3ca7f8cad682a39f7c5d1ce0435c4fc4b69a1d5a6d4de216d6b47ee27c7c382c83095e2b6fd7d7c125dcf3ddd7d633d6519f85d8c
-
Filesize
74KB
MD5856f009f9aaa04d87d3a48ff932c8a08
SHA148126e2e94205b7019c2f878cc1a5a07360be506
SHA256560c9cd8e3324a2f51bc6c0b691f848ab393aa79bb9a3f63f28d41154f4967e7
SHA5120f999b86951d2a9bd51d9538d600ee633597bce5ccfea9512d357f4b2560408c2bb7768b0397e7b1b0ad73b2813bf7bc17ff5794392cfa566788a612a66c3ea0
-
Filesize
74KB
MD53e958359f44fb481149a2e0e295c8597
SHA1dde7ce80fe2005387a2e552b65ae3ebf256d7c6d
SHA256ef59f212b13acc127bcc31912bf0649c4b18fa6593ff0f0c31b097bcf1c2eec6
SHA5120fa8d85950ea29490c26197bbcbc9d8b6fff8baf1d6333a8c8f787f53c623402de59ff8afad8661388a56d756fc4359605f629fe11bf92d5f5e44c2a2671800d
-
Filesize
74KB
MD55ffc2ed3179994d7cd2a57eef26b80fe
SHA149bd3ed62039b39701ce2c398b73ddfde35836ae
SHA256fbbc31d2f0fb663f8bbc702e99da4cfdb449797b25b384886803f45778d13a99
SHA512e5ab1658d4d41da4f1d0e73b18615ba8a7e7efa12a23b0d54b7c9b27310691b4cd9e8d6785dd6db364f9a1eaf84fa859c0f3b63d50c02c107ec8906111ffe7eb
-
Filesize
74KB
MD5c455233fe0dab8a369b7a11d6ba72891
SHA142866a3cbac19a3c3cc40f2ecb7ece9a5dd6c813
SHA256e636087321073b51192cceccd22176d3bfbc330c5ec1969ebe8892a469cab17b
SHA512a1e56f9f8c96a37fd07ac4b3a1c87e3f754fecb5329e6189e8dd42cd598354c10efab26f4c3656f6c3fb09baf0477514a54735bfc44dc3148ed36d294434cc59
-
Filesize
74KB
MD5ac46655bc91b41444757ec17b5b1938d
SHA17809819c1f01f85191286725665245aad0237c57
SHA256f6b67917153b9c1781453f282e35dc1a1f24a8d8707fc16b1c56dbe14230b613
SHA512f730b89263368220646b7c39ea306de42ca41fc81abbea6acd93ab86f96411b7f45fa3527a6f7f7477cd8d7a7c19d6d57c1bb6a2adfcadb340b9614161669ac9
-
Filesize
74KB
MD55bf7834c98a611ef707fef9dc2871981
SHA10daa90abb98633c73c089b26e03e5e54f7af6cfc
SHA256fbad722a75ac72f11d55fbd90a360d2c724b0d9d3e77529ff678751ee34a4307
SHA51211af5be9efd7b906ea0d3c1aec6b7cc3cc3f364702b7eade337c1e1b3996a77771b0c5dbe9101efedace79398bbeda16482c078568834549e1cf4831e87e2416
-
Filesize
74KB
MD5ed5d95ba35e9cfe447bdb7e5e84ff046
SHA1b078e0845e20fa36f9cb5972cb70df260fba9cd4
SHA2560990580b51e5d98f71d822c4ad238936618e5b2bdd02c063888191067d4dcc53
SHA5126dee1fd930a797f8b76c44c2ca2371c143f918772669c53593b57f7ac05a9690f627024f3ccf88d6c341a7cd6bada12590f2af06a4edc389b8123faf083fbc76
-
Filesize
74KB
MD5a237e6a51456f1f1fac35df6862317fc
SHA1a204b92fdad4bd244d2960428544d045a6d1df8c
SHA2566046608959fad343efda52c2ee532d4edab69b6591328ea23ee87ccdbaa072da
SHA5123cea33131a160ac8b1ff6cf6c362b0ea57dda4b873a1ae87c286ad00a757dd0ce7b02b92cbd75696a116ad278391d0b23b526d97f33db606088fe64ed60e9ba6
-
Filesize
74KB
MD5fa72dc5ef18e18164b6d0764512a9159
SHA1284ac322971890beb46b108d0115ab90c36b225a
SHA256c5de75e116aed6d870c3f1d5346905354ed92cf52a0a14bfd5d027074f139f91
SHA512e0c88ddbc1b4f13696d925e95e28439b188b21cc778bbc6643c2123227c5d390bb7154afb917bcf34a9d7d4b6353e43ac83315458a52bab89844644ddf44bf99
-
Filesize
7KB
MD5af1da632033bd44b7626581019df4b25
SHA1249c432b9f06b792a1f914f2bb6b39086ddec5c5
SHA25695226d5e16e5b6fef77c3695b3847bd29dde17c10b1a0b6074be3d6a1bf86e76
SHA51231ba7a47beea8f048c9920e2c9d7b065f2d1451043424fd621a3b7616c1c168be4bfa5cd0dffaa3e7411ce9245acc7b78de7e2f20b979de890dd3b71936bbe63