Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe
Resource
win10v2004-20241007-en
General
-
Target
b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe
-
Size
87KB
-
MD5
8841f3af75c8b9dd75b024558bbf3b44
-
SHA1
29fde6ab5acf924030325da2d558a01d08c3e79c
-
SHA256
b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24
-
SHA512
6b5d92232f287b2072ab27f510ef496577a8cd290b7243d3bdf4bfdc8b56b9abd86b5b0a90d439915b424c601129b8d509d6cb532a4df23c22e6d8f88bfcc09f
-
SSDEEP
1536:SWhlhWO3CC/Otd4gjINgULJtd7SW3RQ4h8RSRBDNrR0RVe7R6R8RPD2z5:UEC6Of4ghm5SeefAnDlmbGcGFDe5
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfmajipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcoenmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgjgcgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmajipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daekdooc.exe -
Berbew family
-
Executes dropped EXE 29 IoCs
pid Process 3456 Bmemac32.exe 3404 Bcoenmao.exe 3840 Cfmajipb.exe 1560 Cmgjgcgo.exe 4236 Cdabcm32.exe 3600 Cfpnph32.exe 1324 Cmiflbel.exe 3552 Ceqnmpfo.exe 776 Cdcoim32.exe 4220 Cfbkeh32.exe 2044 Cmlcbbcj.exe 4740 Cagobalc.exe 1676 Cjpckf32.exe 432 Ceehho32.exe 1636 Cffdpghg.exe 532 Cmqmma32.exe 4336 Dhfajjoj.exe 2600 Djdmffnn.exe 4076 Danecp32.exe 4288 Dfknkg32.exe 3948 Djgjlelk.exe 5084 Dobfld32.exe 1968 Dfnjafap.exe 980 Dmgbnq32.exe 2464 Ddakjkqi.exe 4388 Dogogcpo.exe 2472 Daekdooc.exe 1072 Dhocqigp.exe 3964 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cagobalc.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Danecp32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File created C:\Windows\SysWOW64\Echdno32.dll Cmlcbbcj.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Dobfld32.exe Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Dobfld32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Dobfld32.exe File created C:\Windows\SysWOW64\Bcoenmao.exe Bmemac32.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cfpnph32.exe File created C:\Windows\SysWOW64\Nedmmlba.dll Ceqnmpfo.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Bmemac32.exe b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe File created C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Dobfld32.exe File created C:\Windows\SysWOW64\Hjfhhm32.dll Cfmajipb.exe File created C:\Windows\SysWOW64\Bhicommo.dll Cmgjgcgo.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cfpnph32.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Flgehc32.dll Cdabcm32.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Danecp32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cfpnph32.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Djdmffnn.exe File created C:\Windows\SysWOW64\Beeppfin.dll Dfknkg32.exe File created C:\Windows\SysWOW64\Cfmajipb.exe Bcoenmao.exe File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Cdcoim32.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cagobalc.exe File created C:\Windows\SysWOW64\Cdabcm32.exe Cmgjgcgo.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Eokchkmi.dll Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe Bmemac32.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Cagobalc.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Mmnbeadp.dll Bmemac32.exe File created C:\Windows\SysWOW64\Cacamdcd.dll Cagobalc.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe Danecp32.exe File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe Bcoenmao.exe File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Cdcoim32.exe File created C:\Windows\SysWOW64\Cfbkeh32.exe Cdcoim32.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Hdhpgj32.dll Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Dobfld32.exe Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Mogqfgka.dll b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cmgjgcgo.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4616 3964 WerFault.exe 114 -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlcbbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoenmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgjgcgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfmajipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cfpnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfpnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" Cmlcbbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfmajipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4476 wrote to memory of 3456 4476 b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe 83 PID 4476 wrote to memory of 3456 4476 b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe 83 PID 4476 wrote to memory of 3456 4476 b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe 83 PID 3456 wrote to memory of 3404 3456 Bmemac32.exe 84 PID 3456 wrote to memory of 3404 3456 Bmemac32.exe 84 PID 3456 wrote to memory of 3404 3456 Bmemac32.exe 84 PID 3404 wrote to memory of 3840 3404 Bcoenmao.exe 85 PID 3404 wrote to memory of 3840 3404 Bcoenmao.exe 85 PID 3404 wrote to memory of 3840 3404 Bcoenmao.exe 85 PID 3840 wrote to memory of 1560 3840 Cfmajipb.exe 86 PID 3840 wrote to memory of 1560 3840 Cfmajipb.exe 86 PID 3840 wrote to memory of 1560 3840 Cfmajipb.exe 86 PID 1560 wrote to memory of 4236 1560 Cmgjgcgo.exe 87 PID 1560 wrote to memory of 4236 1560 Cmgjgcgo.exe 87 PID 1560 wrote to memory of 4236 1560 Cmgjgcgo.exe 87 PID 4236 wrote to memory of 3600 4236 Cdabcm32.exe 88 PID 4236 wrote to memory of 3600 4236 Cdabcm32.exe 88 PID 4236 wrote to memory of 3600 4236 Cdabcm32.exe 88 PID 3600 wrote to memory of 1324 3600 Cfpnph32.exe 89 PID 3600 wrote to memory of 1324 3600 Cfpnph32.exe 89 PID 3600 wrote to memory of 1324 3600 Cfpnph32.exe 89 PID 1324 wrote to memory of 3552 1324 Cmiflbel.exe 90 PID 1324 wrote to memory of 3552 1324 Cmiflbel.exe 90 PID 1324 wrote to memory of 3552 1324 Cmiflbel.exe 90 PID 3552 wrote to memory of 776 3552 Ceqnmpfo.exe 92 PID 3552 wrote to memory of 776 3552 Ceqnmpfo.exe 92 PID 3552 wrote to memory of 776 3552 Ceqnmpfo.exe 92 PID 776 wrote to memory of 4220 776 Cdcoim32.exe 93 PID 776 wrote to memory of 4220 776 Cdcoim32.exe 93 PID 776 wrote to memory of 4220 776 Cdcoim32.exe 93 PID 4220 wrote to memory of 2044 4220 Cfbkeh32.exe 94 PID 4220 wrote to memory of 2044 4220 Cfbkeh32.exe 94 PID 4220 wrote to memory of 2044 4220 Cfbkeh32.exe 94 PID 2044 wrote to memory of 4740 2044 Cmlcbbcj.exe 95 PID 2044 wrote to memory of 4740 2044 Cmlcbbcj.exe 95 PID 2044 wrote to memory of 4740 2044 Cmlcbbcj.exe 95 PID 4740 wrote to memory of 1676 4740 Cagobalc.exe 97 PID 4740 wrote to memory of 1676 4740 Cagobalc.exe 97 PID 4740 wrote to memory of 1676 4740 Cagobalc.exe 97 PID 1676 wrote to memory of 432 1676 Cjpckf32.exe 98 PID 1676 wrote to memory of 432 1676 Cjpckf32.exe 98 PID 1676 wrote to memory of 432 1676 Cjpckf32.exe 98 PID 432 wrote to memory of 1636 432 Ceehho32.exe 99 PID 432 wrote to memory of 1636 432 Ceehho32.exe 99 PID 432 wrote to memory of 1636 432 Ceehho32.exe 99 PID 1636 wrote to memory of 532 1636 Cffdpghg.exe 101 PID 1636 wrote to memory of 532 1636 Cffdpghg.exe 101 PID 1636 wrote to memory of 532 1636 Cffdpghg.exe 101 PID 532 wrote to memory of 4336 532 Cmqmma32.exe 102 PID 532 wrote to memory of 4336 532 Cmqmma32.exe 102 PID 532 wrote to memory of 4336 532 Cmqmma32.exe 102 PID 4336 wrote to memory of 2600 4336 Dhfajjoj.exe 103 PID 4336 wrote to memory of 2600 4336 Dhfajjoj.exe 103 PID 4336 wrote to memory of 2600 4336 Dhfajjoj.exe 103 PID 2600 wrote to memory of 4076 2600 Djdmffnn.exe 104 PID 2600 wrote to memory of 4076 2600 Djdmffnn.exe 104 PID 2600 wrote to memory of 4076 2600 Djdmffnn.exe 104 PID 4076 wrote to memory of 4288 4076 Danecp32.exe 105 PID 4076 wrote to memory of 4288 4076 Danecp32.exe 105 PID 4076 wrote to memory of 4288 4076 Danecp32.exe 105 PID 4288 wrote to memory of 3948 4288 Dfknkg32.exe 106 PID 4288 wrote to memory of 3948 4288 Dfknkg32.exe 106 PID 4288 wrote to memory of 3948 4288 Dfknkg32.exe 106 PID 3948 wrote to memory of 5084 3948 Djgjlelk.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe"C:\Users\Admin\AppData\Local\Temp\b558c61aa4ee2214aac776b13420f4ab70928d0f21f25b8adf08a411e4c1ea24.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 40831⤵
- Program crash
PID:4616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 39641⤵PID:1720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5c0b3900f0a229e4d1d04bcfe2a729b65
SHA1027198df8c054551f4bcc3aa60ded51378d7c811
SHA256643e598e8cfdd41a47a6a100fda603417ecd720c6675c14dc3d185502de58d74
SHA512dd2d7a8c551013ebf4a5d332ebe1b58968a4c41ee1f7fdb9633e102c5a91ae36fa6a537f00866caa3b05dd38dfebffbc1cf7c7a45e93ebb2e8bf0cb6055caaf5
-
Filesize
7KB
MD50da9bf185c6086fe68e6c267e7351075
SHA1d2952ba1ddfd2759cc2fadf7bfcf891c37b09c06
SHA2568bd208df9f07ed366b6f7f066ee2bb0f21ad788ca1d5f5dffc41baf112bf9e3e
SHA51233eb2eadb572e05fc84db3062363c13d38226ecc92ad01e03489f8f98645406dea9080535ef04eeb098bf63f9d1fbdc647362bed660c7b0f674186d4f9e857fa
-
Filesize
87KB
MD5462aea0cbdb9087a6b5373a8f3b80db4
SHA181977891f097bf2ac8815d3f0ea81f0b87f8986c
SHA2561ade83907da6fa5d67c478ee94c2ff4f41e86ed04191bf62ff12d39cb53e5e91
SHA51209ecef58b2f30e95ba21bb8c1274b8f9593878110d9e2cd0fa789c6b5c07fe5fadb62ee45347d95588309928e19508a11fb1c7991280a5640db09f4d7886c05c
-
Filesize
87KB
MD5387bbfa8cd2ed6861c8f26188636026b
SHA18b26d7956b75f08316f5c88ec3aedc9852f8fc57
SHA2562b4968d8a7ed5a50fddcc8e7a0626b92c07247513cabfa0c717a4afa30fc0bfd
SHA512610e2dbd8a396aa5b3355e51690e2771c7d6d1b6b92c54cf0956d855d3db2fb67203155b994dbbc646b09921044fd04fd140c459de076eacade4fdf041cb872a
-
Filesize
87KB
MD557df111de1deec38d4264a32b5f80b28
SHA1f57c45f7e98554b43efc6e3b9c2815269c91e55e
SHA256317d6743b94be0d80fe8866490e7f0004355423b3f9b3eac5708bd390a16bcb3
SHA512fb41760026537b64a7acea50cfc912779e3fa3def6d7a186d55e628b8e9d5baeebbc1640a39eda94a8ef2fa15579e4224aa7214a937a9f755438b7c0043a95df
-
Filesize
87KB
MD540699cacc6c87b22bbf5f9258abf370a
SHA1359024cf99e9494fdefa6f933551acb30e192d49
SHA2569414816d73ed4be652f3e44cfba080b12f8026ae145c26b9568fa30da33550b5
SHA51238a3ca6f4861a56c5ddfe92cc3a2275625e2ed5deb335ed934a08d600c294c3d63304bb944a615b751dacae21e562912927c6ab318025976d10dded247dec6ce
-
Filesize
87KB
MD5294fadd13bbea239178aa02632525142
SHA176c6afb1b9f4116e2ce4d169e48771d8d3b1ffc7
SHA256d4ceb9b134f5de73953b882fe90a9f126357223e269b19553cff97c5ff1deff6
SHA512ef0a5c19b627269e96cfa2ee7a6085aac32ef7f01607960364d02ca09a714b1c5afc81165831afa9ce10991ce99bf779d5ec3b09c40b45d0195ef6b98290f3bc
-
Filesize
87KB
MD514a010e8b82366ae94e3e5739ffb8288
SHA1b0e3d8d069c9dd9827aef0985077c8e3f85241ac
SHA256758b8095fad5232ee1c5ff9df365769b6b8d4ebbee28eca019a53dd9e1def27f
SHA512d8d260e0d7b989431ded8355b99de24e2c01d64fdd1bf2ab7c27de1c77492c6eb3d07cabbb954d825784162db5000b7e781cf003fbbea48661dc7411d6872b61
-
Filesize
87KB
MD5dbd1256abb09a60f94e276a0eb3a0b98
SHA1ce175fc1b215475c4792fab02c37e0f1ff118a35
SHA2565246321bc35026ea38b819fa24192e5be55f875c55a5d4f5790bf82d2a690f52
SHA512c5ef6ad9d9c6e0ed699613b5b182f29d9f6f2f38ef7557c4e6e80808d07d37d81a3226a8bda7dfe4027ad8e67ebd6deeef82334cf450fb16bfce6c18a58e1e82
-
Filesize
87KB
MD5422c03befe66c6d467d7b370d2ab9a94
SHA10773b2962e82adee4f53d87fc1d391bf001440d0
SHA2564cbe9a515b1caf97a97e7dfe9b457670f0c9867f548f617fabfd699a5a52b012
SHA512e751a5699a6551556cae2807eb53a9c6add5d6a706c07c5d9b2ea0c3f7e644ef53212b3077a127271f3d2bcec8964c3bc84a7dae092aa753e3d75898f5927bba
-
Filesize
87KB
MD55d84a971286866b3fcfeeb1e657f25ae
SHA1052813676e6a9cf2e07b1a6b3d57a51ca2674a8a
SHA2568883ac7a645fe54ad59bfe08f502782e2990552c93e5fcbc3f962abe44f18a5b
SHA512b0cb136c049f457179ea3decd1861301e4b9c917eb395bd6bb090f1906016a86db69bdba60f212633b5691ee4355c8c667a13446334a5bfc5d272479b3f94554
-
Filesize
87KB
MD5c3d008771fa3c71294da8ecd81e77475
SHA1da13155e4d5b91ce30e197ceee23a088b33913f2
SHA25663ed781bcb744d38592f988dd09e00f6f0fd9aa6bdd066949e49a6494a868610
SHA512d90da79046e8be65da7a3454ef17310641de8815b2515499ea4b1ea3d6a930ce39e0ab86dcd0ea593b928b29c1f22a1f81fbbb020e4eb67a562eee14501ad019
-
Filesize
87KB
MD50befd64bcbce127d1bf9c3749125ae11
SHA100be29bf24b2a6b8581300fe0f825681cf04c74b
SHA2564f9852525776c83706108e225c39331240f88844048a19f65da8830d3b9e205a
SHA51232b9c509a3c379ec83027d605b2e62e05ea9532cc1357b8fed1701054672bf4f85f7013578c9c64e49a2c7a2be6dd3407419db3019b2abe577a95c028fa5f08b
-
Filesize
87KB
MD52e84c0fbe624f7874fb4cff7648d9d3b
SHA10628f4db9d975d072c41320bdb810b6384ad2242
SHA25606d5cc5765854d3d73803ee32bce1e9adaee7fc546909b325420f3660fb7d965
SHA512b6e2a19bc1d60979d7d6e27ff3e404f9e8274c7d343ac1567cc814b2dcc0eda21884dffbe2d04058bba180ea3b8abaae4380dfa79dca08a0af466a356a22c9e4
-
Filesize
87KB
MD5d1b2d5ed8a86c7ec4df305061c7b90b7
SHA11084d7dc9a16dd1355e01e7f0c266a4b1cc729cc
SHA256f7a87aee6f78f1710ad9a5299fc57e5baded0cb363637f08d4f55fa480bf74f8
SHA512e7f1163fb04620bc0473c41466dbf879df90cd16d2b2072e7427534a9937d29462d841c804eae5b4ce2245e614c49b1801f53882c7ac8289a23ef20ebdd995e0
-
Filesize
87KB
MD56e3c3bfb9daa5091ad36b3a223395102
SHA1138abd9a9d12ba03957daa7d4952ff72e04ff85d
SHA2562501c01da14c304656f4061433c185c5cb5e68e4db269ab6198d477f2e178946
SHA5129b1b048a59a88cb32e8728b873ea58bd42b3a3774558cf581285787ebc0f5843e843abf4ad1629cbfa221575433978834ca715d394da8da221f7d443f2eca970
-
Filesize
87KB
MD5e976fc0d5af06a805429e43dc8e5c678
SHA16210d7f38888af4e90236bc563daf4049df5174e
SHA256fb3838c5138873f8d07a820dc94bb0f6de4e3178a92c2fd72b74ff187e1080f8
SHA51213b7a1288873aaba466e665efc3e391eeea4f3e7921a414b00666c9bab90581bfac98b718a54a0b571741754f9f61aef2fad792f8ead6ca82348b0abd42fbdcb
-
Filesize
87KB
MD52f7a944706cc6326ae9d953d191b4338
SHA139dd73306bd88978cdde97269c1c12bef93bb0fb
SHA25655d8213bee2758864a59fa0a864526c848ccd64c7a0839ad6664eaa408315b99
SHA512b5d25aafee9e45da952cafa9cc4828c7a64d1424d31c5b6a39229313b08233d5e2214d8623e57366965e0b42882f1abebb7fb5ad7ced9d8d462b89a37a80fe5b
-
Filesize
87KB
MD537d4891da8c65c4d227e4f0b96e28f60
SHA1ee9a12d1db9c39438cc365cc9a093a167f1a38c4
SHA25606187f49af2190a07fac1853cc471c1d4020a08eaa94138081f0f56da26cf8dd
SHA5129692d5a877e926bc756ef7a0927ee53216fd1e360f549dd50cf41c82382b9e07d8552c487a0a7fd5c917f2d09cf8f31ca6a157af2f3f5c24b3e59afc0c122bfa
-
Filesize
87KB
MD53c6ada2313ce2df02e8e18383536ee0c
SHA1c6dce10b53ea4a0e3d014556a33a068053a38581
SHA256424380e8604a2919a16e99ff6be3b4ac5261a0928a7ea842e435f3c6828eaee0
SHA512785b753f00312238a6527b043befb9d65b42748847708bd80916e1d1f8ae2134865990e983de099dbe57726a2090390c74a24d1466388c731cda15a033a3ac57
-
Filesize
87KB
MD5e32ed35b106db92d205e112c79f30158
SHA16f57f0d6ae76c4bddfa581c966a09892a1b6202f
SHA256cf39dc430b4df037c722c2f3932ef3216a41bba5e7924ef28ca5c3eb51eeb1b5
SHA512f4152aaffa28b8c7de6e31efe3a3db66d9b85162cf259e0b3a0889c283b67fe0e1a865488c72a76d877965a3bd77de967241a500b57fa6e1464a29eccdb5da46
-
Filesize
87KB
MD59e6f40aa708e5d2e5467260c58943328
SHA10c81ba322044e63e43c901325fee15399f0fa076
SHA256236dd2c22e7071dbaf15fb61163756e2810078b80376b44a2f14559e8023ecfa
SHA5129c6d8cbcf64d4d8e1d52cf53e6ac803a2d7d83ae8c947d0e728f4b355adec0007a12ba3b4cda17001f5bb749d6746ec0c63403ed72d6fb514f7ed7e62916f080
-
Filesize
87KB
MD5a829f4ffac78cbcb9768f08df68984e1
SHA13de3f63cc9d1ea42a500c80b43228319bc93e002
SHA2569f97a9557c98c6baa57e8260307122754d1673717f694317f2cf6bd5b3686dd1
SHA51268a6d6dd07f09fc78513d02f4d9cf6e9036a77c5b9b39ce26edab0a496646b16cb5acfdca9c692b4e8883238e0d763a4ff54f795b48d30ca4ecaedd77dbde4c2
-
Filesize
87KB
MD5ee3a0bf656dd8e5c1980438d77e871e1
SHA14f4618225e2dcf64a15f89d61c7988805613a59a
SHA2560a3ac0113240a198440334c6fb0c0f57b4ce6ea9a783dc39a1fbe5f369b205a5
SHA512348170670c1bd26e03ca842d50085f013d6f226b72c0608af15b129d0bb3a9e26ff19f69e7b57c98b5e852f3ab8e886fe1202163a48c10753334495b1bc7e7e5
-
Filesize
87KB
MD5dcc1fe031661e9f871d847ac15f9725a
SHA13187c26af78dfcb1cff8afd415109449cdd7a4b8
SHA25613e51bd3e13038b12d05e8560e29e1e244ed1cfecba3618c878c60bf8f8cd05c
SHA512291f26eb358eb6c01bde7418ba2d7ce23260fea42f79d1d9d65fc0da947893e3c075ee12e673ecc04c6a1bc591f4e2499d172df4190b2f08721a81ee8190cd78
-
Filesize
87KB
MD59a93049b72ed1547c2e1404d345b39fc
SHA1285930daf857451c09c3eaa3ef13996834530628
SHA256b0285adb23930a331602011bf32c58524cdf6f8ffa07e63bdfd954eca8d04b90
SHA512437e440467e634f0417d42a09ed49f5cadbc3c5a92f4867d88cc7ea0fee2f0c4a0596635438febfaf075ded3283c7763cb7af7466b438eecf5d7359cff04c56f
-
Filesize
87KB
MD50769ade2bd7afb1dd75ebee1b49b1323
SHA19955f60107e5030002a7eb6ed772500d15fa32e9
SHA256cd98ef8de3857592526d83a9478dd23151c50811ec99e3c21f3692c6e55e281d
SHA512012d705b905f45e155fdea9f65d43803137254252a3807ae4b41484029792e9a53b228b44dc98e3a06aba05bbfefd7caa9e9ecaf3efa517a332277e3f28ffe75
-
Filesize
87KB
MD5ca5bdb7c10bdd3bf628dba218582d3fe
SHA12e82b473dbdcc9315563868e991fa871db93e187
SHA256196c629df4a24ba26452331c5e0a68543a0efc3da889eab1b7b74a164b3c0164
SHA512b0eeccd61d98007ef7e7dcf6b5333c1e26c7dea7af3facdbeefd30e2bd561f4e4593a249a06e09cfced216d06811d7c419a94713c9fd6a2fd9dd729bbb6e5192
-
Filesize
87KB
MD5f64a7ca5e473765da647939620388c74
SHA1e12bf2cb3258b90f8463a64c680b0e2190c32c3a
SHA256780d1879d4af014111474e5949808adc58bfd4974cadfdf83e61053512a4ca3d
SHA512c44977e2f2e01d0a5f033f6cc73186d5461f73a0dd44bc38fa8abdf99c642b34120a93d46b18b8fea95f2f2897b2350b27e01ab9c678b1cfb90137b79cede922
-
Filesize
87KB
MD5a746256bf7160a6a2b4c578569964629
SHA17024c50f2bdd5c7dfd16a10edd4292aca0737940
SHA256641dfd0764146f1394ac8bbc89fb18a9588330680469268607395b500488c9ab
SHA512674fae09424997c2e9753f8a1e6cdccdaeb1b7cfd7094c49bd1671180885b580a5381118dcd83a38a1649c4a4f1101aa97deab697168cf17d10aedf7b5a01249