Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe
Resource
win10v2004-20241007-en
General
-
Target
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe
-
Size
302KB
-
MD5
cd3fc070e83791075207a2d6c7a71684
-
SHA1
aad5f5d97c454225964293f61ab3d450a6e7bc22
-
SHA256
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8
-
SHA512
695e00589f383e6f3dbcde78ce0985748239ca547908ad4cf8fc41995c2e30eed18c02b21f86709b509edbf754f68e892f4adc095b7e52b9134942aeb0869568
-
SSDEEP
6144:zUBeuhFrG03FF7fPtcsw6UJZqktbOUqCTGepXgbWHr:zQzFrJ3FF7fFcsw6UJZqktbDqCTGepXH
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ddmchcnd.exeDnjalhpp.exeEkghcq32.exeEgpena32.exeCceapl32.exeDcjjkkji.exeDbadagln.exeDhklna32.exeEmpomd32.exeEqngcc32.exeCgjgol32.exeDoqkpl32.exeCfaqfh32.exeDbmkfh32.exeDbdagg32.exeDqinhcoc.exeEfhcej32.exeBefnbd32.exeCdngip32.exeElieipej.exeDnfhqi32.exeDkjhjm32.exeDgqion32.exeEpnkip32.exeBknmok32.exeCcgnelll.exeEpqgopbi.exeDjafaf32.exeFllaopcg.exeBedamd32.exeCdpdnpif.exeEjabqi32.exeEbappk32.exeEikimeff.exeEiilge32.exeDnckki32.exeFbfjkj32.exeFedfgejh.exeBahelebm.exeBhdjno32.exed6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeCjoilfek.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnjalhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbadagln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Empomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbdagg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjalhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqinhcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdngip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elieipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkjhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djafaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjjkkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmkfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bedamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejabqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebappk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhklna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiilge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejabqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgqion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fedfgejh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahelebm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiilge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djafaf32.exe -
Berbew family
-
Executes dropped EXE 46 IoCs
Processes:
Bknmok32.exeBahelebm.exeBedamd32.exeBefnbd32.exeBhdjno32.exeCppobaeb.exeCgjgol32.exeCdngip32.exeCkhpejbf.exeCdpdnpif.exeCfaqfh32.exeCceapl32.exeCjoilfek.exeCcgnelll.exeDjafaf32.exeDcjjkkji.exeDbmkfh32.exeDoqkpl32.exeDnckki32.exeDdmchcnd.exeDglpdomh.exeDnfhqi32.exeDbadagln.exeDhklna32.exeDkjhjm32.exeDbdagg32.exeDgqion32.exeDnjalhpp.exeDqinhcoc.exeEjabqi32.exeEmpomd32.exeEpnkip32.exeEfhcej32.exeEqngcc32.exeEpqgopbi.exeEiilge32.exeEkghcq32.exeEbappk32.exeEikimeff.exeElieipej.exeEebibf32.exeEgpena32.exeFllaopcg.exeFbfjkj32.exeFedfgejh.exeFlnndp32.exepid Process 1924 Bknmok32.exe 2704 Bahelebm.exe 2668 Bedamd32.exe 2224 Befnbd32.exe 2596 Bhdjno32.exe 276 Cppobaeb.exe 1592 Cgjgol32.exe 2536 Cdngip32.exe 2136 Ckhpejbf.exe 2868 Cdpdnpif.exe 2360 Cfaqfh32.exe 2468 Cceapl32.exe 2112 Cjoilfek.exe 2148 Ccgnelll.exe 2100 Djafaf32.exe 2180 Dcjjkkji.exe 1108 Dbmkfh32.exe 908 Doqkpl32.exe 2976 Dnckki32.exe 1560 Ddmchcnd.exe 1224 Dglpdomh.exe 2984 Dnfhqi32.exe 308 Dbadagln.exe 1700 Dhklna32.exe 2060 Dkjhjm32.exe 2836 Dbdagg32.exe 2676 Dgqion32.exe 2840 Dnjalhpp.exe 2072 Dqinhcoc.exe 1336 Ejabqi32.exe 2892 Empomd32.exe 1004 Epnkip32.exe 616 Efhcej32.exe 2796 Eqngcc32.exe 2888 Epqgopbi.exe 1688 Eiilge32.exe 2808 Ekghcq32.exe 556 Ebappk32.exe 1876 Eikimeff.exe 2132 Elieipej.exe 1820 Eebibf32.exe 768 Egpena32.exe 2292 Fllaopcg.exe 780 Fbfjkj32.exe 2256 Fedfgejh.exe 2204 Flnndp32.exe -
Loads dropped DLL 64 IoCs
Processes:
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeBknmok32.exeBahelebm.exeBedamd32.exeBefnbd32.exeBhdjno32.exeCppobaeb.exeCgjgol32.exeCdngip32.exeCkhpejbf.exeCdpdnpif.exeCfaqfh32.exeCceapl32.exeCjoilfek.exeCcgnelll.exeDjafaf32.exeDcjjkkji.exeDbmkfh32.exeDoqkpl32.exeDnckki32.exeDdmchcnd.exeDglpdomh.exeDnfhqi32.exeDbadagln.exeDhklna32.exeDkjhjm32.exeDbdagg32.exeDgqion32.exeDnjalhpp.exeDqinhcoc.exeEjabqi32.exeEmpomd32.exepid Process 1900 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 1900 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 1924 Bknmok32.exe 1924 Bknmok32.exe 2704 Bahelebm.exe 2704 Bahelebm.exe 2668 Bedamd32.exe 2668 Bedamd32.exe 2224 Befnbd32.exe 2224 Befnbd32.exe 2596 Bhdjno32.exe 2596 Bhdjno32.exe 276 Cppobaeb.exe 276 Cppobaeb.exe 1592 Cgjgol32.exe 1592 Cgjgol32.exe 2536 Cdngip32.exe 2536 Cdngip32.exe 2136 Ckhpejbf.exe 2136 Ckhpejbf.exe 2868 Cdpdnpif.exe 2868 Cdpdnpif.exe 2360 Cfaqfh32.exe 2360 Cfaqfh32.exe 2468 Cceapl32.exe 2468 Cceapl32.exe 2112 Cjoilfek.exe 2112 Cjoilfek.exe 2148 Ccgnelll.exe 2148 Ccgnelll.exe 2100 Djafaf32.exe 2100 Djafaf32.exe 2180 Dcjjkkji.exe 2180 Dcjjkkji.exe 1108 Dbmkfh32.exe 1108 Dbmkfh32.exe 908 Doqkpl32.exe 908 Doqkpl32.exe 2976 Dnckki32.exe 2976 Dnckki32.exe 1560 Ddmchcnd.exe 1560 Ddmchcnd.exe 1224 Dglpdomh.exe 1224 Dglpdomh.exe 2984 Dnfhqi32.exe 2984 Dnfhqi32.exe 308 Dbadagln.exe 308 Dbadagln.exe 1700 Dhklna32.exe 1700 Dhklna32.exe 2060 Dkjhjm32.exe 2060 Dkjhjm32.exe 2836 Dbdagg32.exe 2836 Dbdagg32.exe 2676 Dgqion32.exe 2676 Dgqion32.exe 2840 Dnjalhpp.exe 2840 Dnjalhpp.exe 2072 Dqinhcoc.exe 2072 Dqinhcoc.exe 1336 Ejabqi32.exe 1336 Ejabqi32.exe 2892 Empomd32.exe 2892 Empomd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dcjjkkji.exeDglpdomh.exeFllaopcg.exeBahelebm.exeDnckki32.exeDbdagg32.exeEqngcc32.exeElieipej.exeEebibf32.exeCkhpejbf.exeDkjhjm32.exeDnjalhpp.exeEpnkip32.exeCppobaeb.exeDbadagln.exeBknmok32.exeBedamd32.exeDdmchcnd.exeDnfhqi32.exeFedfgejh.exeBhdjno32.exeEjabqi32.exeEiilge32.exeEbappk32.exeFbfjkj32.exeBefnbd32.exeDgqion32.exeEfhcej32.exeEikimeff.exeCdpdnpif.exeDqinhcoc.exeCgjgol32.exeCceapl32.exeCjoilfek.exeCdngip32.exeCcgnelll.exeEkghcq32.exedescription ioc Process File created C:\Windows\SysWOW64\Jnbppmob.dll Dcjjkkji.exe File opened for modification C:\Windows\SysWOW64\Dnfhqi32.exe Dglpdomh.exe File created C:\Windows\SysWOW64\Aoqbnfda.dll Dglpdomh.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Fkbhkj32.dll Bahelebm.exe File opened for modification C:\Windows\SysWOW64\Ddmchcnd.exe Dnckki32.exe File created C:\Windows\SysWOW64\Dgqion32.exe Dbdagg32.exe File opened for modification C:\Windows\SysWOW64\Epqgopbi.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Mnmcojmg.dll Elieipej.exe File opened for modification C:\Windows\SysWOW64\Egpena32.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Cdpdnpif.exe Ckhpejbf.exe File opened for modification C:\Windows\SysWOW64\Dbdagg32.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Hmdkip32.dll Dnjalhpp.exe File created C:\Windows\SysWOW64\Efhcej32.exe Epnkip32.exe File created C:\Windows\SysWOW64\Fiakeijo.dll Fllaopcg.exe File created C:\Windows\SysWOW64\Kjkoop32.dll Cppobaeb.exe File created C:\Windows\SysWOW64\Aankboko.dll Ckhpejbf.exe File created C:\Windows\SysWOW64\Fdbnboph.dll Dbadagln.exe File created C:\Windows\SysWOW64\Dbdagg32.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Iahbkogl.dll Bknmok32.exe File created C:\Windows\SysWOW64\Nceqcnpi.dll Dnckki32.exe File created C:\Windows\SysWOW64\Egpena32.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Befnbd32.exe Bedamd32.exe File created C:\Windows\SysWOW64\Qhalbm32.dll Ddmchcnd.exe File opened for modification C:\Windows\SysWOW64\Dbadagln.exe Dnfhqi32.exe File created C:\Windows\SysWOW64\Oamcoejo.dll Dkjhjm32.exe File opened for modification C:\Windows\SysWOW64\Dqinhcoc.exe Dnjalhpp.exe File opened for modification C:\Windows\SysWOW64\Eebibf32.exe Elieipej.exe File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fedfgejh.exe File created C:\Windows\SysWOW64\Cppobaeb.exe Bhdjno32.exe File created C:\Windows\SysWOW64\Hhejoigh.dll Dnfhqi32.exe File opened for modification C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe File created C:\Windows\SysWOW64\Ekghcq32.exe Eiilge32.exe File created C:\Windows\SysWOW64\Aeackjhh.dll Ebappk32.exe File created C:\Windows\SysWOW64\Kmpnop32.dll Fbfjkj32.exe File created C:\Windows\SysWOW64\Pggcij32.dll Eebibf32.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Befnbd32.exe File created C:\Windows\SysWOW64\Dbadagln.exe Dnfhqi32.exe File created C:\Windows\SysWOW64\Ojdlmb32.dll Dgqion32.exe File opened for modification C:\Windows\SysWOW64\Eqngcc32.exe Efhcej32.exe File created C:\Windows\SysWOW64\Elieipej.exe Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Cfaqfh32.exe Cdpdnpif.exe File created C:\Windows\SysWOW64\Dhklna32.exe Dbadagln.exe File created C:\Windows\SysWOW64\Elfkmcdp.dll Dbdagg32.exe File opened for modification C:\Windows\SysWOW64\Ejabqi32.exe Dqinhcoc.exe File created C:\Windows\SysWOW64\Eqngcc32.exe Efhcej32.exe File opened for modification C:\Windows\SysWOW64\Elieipej.exe Eikimeff.exe File created C:\Windows\SysWOW64\Bahelebm.exe Bknmok32.exe File created C:\Windows\SysWOW64\Ofoebc32.dll Cgjgol32.exe File created C:\Windows\SysWOW64\Cjoilfek.exe Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe Epnkip32.exe File opened for modification C:\Windows\SysWOW64\Eikimeff.exe Ebappk32.exe File created C:\Windows\SysWOW64\Ihbldk32.dll Cjoilfek.exe File created C:\Windows\SysWOW64\Eebibf32.exe Elieipej.exe File opened for modification C:\Windows\SysWOW64\Ccgnelll.exe Cjoilfek.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fedfgejh.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Cppobaeb.exe File created C:\Windows\SysWOW64\Fhoedaep.dll Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Cgjgol32.exe Cppobaeb.exe File created C:\Windows\SysWOW64\Ckinbali.dll Cdngip32.exe File created C:\Windows\SysWOW64\Ifhfbgmj.dll Cceapl32.exe File created C:\Windows\SysWOW64\Lbogaf32.dll Ccgnelll.exe File created C:\Windows\SysWOW64\Dqinhcoc.exe Dnjalhpp.exe File created C:\Windows\SysWOW64\Ebappk32.exe Ekghcq32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process 2080 2204 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 47 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Eiilge32.exeEikimeff.exeFbfjkj32.exeBefnbd32.exeDqinhcoc.exeDnckki32.exeDnjalhpp.exeCgjgol32.exeDbmkfh32.exeCjoilfek.exeDcjjkkji.exeDoqkpl32.exeDglpdomh.exeDhklna32.exeDbdagg32.exed6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeBahelebm.exeEqngcc32.exeEpqgopbi.exeEkghcq32.exeDgqion32.exeEmpomd32.exeCcgnelll.exeBedamd32.exeCceapl32.exeDnfhqi32.exeDkjhjm32.exeEpnkip32.exeEfhcej32.exeFedfgejh.exeCppobaeb.exeCfaqfh32.exeCkhpejbf.exeDbadagln.exeEbappk32.exeElieipej.exeEebibf32.exeEgpena32.exeBhdjno32.exeCdngip32.exeFllaopcg.exeEjabqi32.exeBknmok32.exeDjafaf32.exeFlnndp32.exeCdpdnpif.exeDdmchcnd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjalhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqgopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdnpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmchcnd.exe -
Modifies registry class 64 IoCs
Processes:
Dnfhqi32.exeDkjhjm32.exeFbfjkj32.exeBefnbd32.exeEqngcc32.exeEkghcq32.exeFllaopcg.exeEpqgopbi.exeEiilge32.exeCkhpejbf.exeBhdjno32.exed6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeBahelebm.exeDnckki32.exeEmpomd32.exeEgpena32.exeBknmok32.exeBedamd32.exeCdngip32.exeCdpdnpif.exeCcgnelll.exeDbmkfh32.exeEpnkip32.exeFedfgejh.exeDdmchcnd.exeEjabqi32.exeDqinhcoc.exeEfhcej32.exeElieipej.exeEbappk32.exeCfaqfh32.exeDhklna32.exeDglpdomh.exeDnjalhpp.exeCppobaeb.exeDbadagln.exeCgjgol32.exeDcjjkkji.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnfhqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fllaopcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epqgopbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dangeigl.dll" Bhdjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll" Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknmok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bedamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdngip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdpdnpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll" Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fllaopcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbieg32.dll" Bedamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdngip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogaf32.dll" Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejabqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efhcej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmcojmg.dll" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebappk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epnkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglpdomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnjalhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnjalhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofoebc32.dll" Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll" Dcjjkkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Cppobaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjhjm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeBknmok32.exeBahelebm.exeBedamd32.exeBefnbd32.exeBhdjno32.exeCppobaeb.exeCgjgol32.exeCdngip32.exeCkhpejbf.exeCdpdnpif.exeCfaqfh32.exeCceapl32.exeCjoilfek.exeCcgnelll.exeDjafaf32.exedescription pid Process procid_target PID 1900 wrote to memory of 1924 1900 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 30 PID 1900 wrote to memory of 1924 1900 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 30 PID 1900 wrote to memory of 1924 1900 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 30 PID 1900 wrote to memory of 1924 1900 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 30 PID 1924 wrote to memory of 2704 1924 Bknmok32.exe 31 PID 1924 wrote to memory of 2704 1924 Bknmok32.exe 31 PID 1924 wrote to memory of 2704 1924 Bknmok32.exe 31 PID 1924 wrote to memory of 2704 1924 Bknmok32.exe 31 PID 2704 wrote to memory of 2668 2704 Bahelebm.exe 32 PID 2704 wrote to memory of 2668 2704 Bahelebm.exe 32 PID 2704 wrote to memory of 2668 2704 Bahelebm.exe 32 PID 2704 wrote to memory of 2668 2704 Bahelebm.exe 32 PID 2668 wrote to memory of 2224 2668 Bedamd32.exe 33 PID 2668 wrote to memory of 2224 2668 Bedamd32.exe 33 PID 2668 wrote to memory of 2224 2668 Bedamd32.exe 33 PID 2668 wrote to memory of 2224 2668 Bedamd32.exe 33 PID 2224 wrote to memory of 2596 2224 Befnbd32.exe 34 PID 2224 wrote to memory of 2596 2224 Befnbd32.exe 34 PID 2224 wrote to memory of 2596 2224 Befnbd32.exe 34 PID 2224 wrote to memory of 2596 2224 Befnbd32.exe 34 PID 2596 wrote to memory of 276 2596 Bhdjno32.exe 35 PID 2596 wrote to memory of 276 2596 Bhdjno32.exe 35 PID 2596 wrote to memory of 276 2596 Bhdjno32.exe 35 PID 2596 wrote to memory of 276 2596 Bhdjno32.exe 35 PID 276 wrote to memory of 1592 276 Cppobaeb.exe 36 PID 276 wrote to memory of 1592 276 Cppobaeb.exe 36 PID 276 wrote to memory of 1592 276 Cppobaeb.exe 36 PID 276 wrote to memory of 1592 276 Cppobaeb.exe 36 PID 1592 wrote to memory of 2536 1592 Cgjgol32.exe 37 PID 1592 wrote to memory of 2536 1592 Cgjgol32.exe 37 PID 1592 wrote to memory of 2536 1592 Cgjgol32.exe 37 PID 1592 wrote to memory of 2536 1592 Cgjgol32.exe 37 PID 2536 wrote to memory of 2136 2536 Cdngip32.exe 38 PID 2536 wrote to memory of 2136 2536 Cdngip32.exe 38 PID 2536 wrote to memory of 2136 2536 Cdngip32.exe 38 PID 2536 wrote to memory of 2136 2536 Cdngip32.exe 38 PID 2136 wrote to memory of 2868 2136 Ckhpejbf.exe 39 PID 2136 wrote to memory of 2868 2136 Ckhpejbf.exe 39 PID 2136 wrote to memory of 2868 2136 Ckhpejbf.exe 39 PID 2136 wrote to memory of 2868 2136 Ckhpejbf.exe 39 PID 2868 wrote to memory of 2360 2868 Cdpdnpif.exe 40 PID 2868 wrote to memory of 2360 2868 Cdpdnpif.exe 40 PID 2868 wrote to memory of 2360 2868 Cdpdnpif.exe 40 PID 2868 wrote to memory of 2360 2868 Cdpdnpif.exe 40 PID 2360 wrote to memory of 2468 2360 Cfaqfh32.exe 41 PID 2360 wrote to memory of 2468 2360 Cfaqfh32.exe 41 PID 2360 wrote to memory of 2468 2360 Cfaqfh32.exe 41 PID 2360 wrote to memory of 2468 2360 Cfaqfh32.exe 41 PID 2468 wrote to memory of 2112 2468 Cceapl32.exe 42 PID 2468 wrote to memory of 2112 2468 Cceapl32.exe 42 PID 2468 wrote to memory of 2112 2468 Cceapl32.exe 42 PID 2468 wrote to memory of 2112 2468 Cceapl32.exe 42 PID 2112 wrote to memory of 2148 2112 Cjoilfek.exe 43 PID 2112 wrote to memory of 2148 2112 Cjoilfek.exe 43 PID 2112 wrote to memory of 2148 2112 Cjoilfek.exe 43 PID 2112 wrote to memory of 2148 2112 Cjoilfek.exe 43 PID 2148 wrote to memory of 2100 2148 Ccgnelll.exe 44 PID 2148 wrote to memory of 2100 2148 Ccgnelll.exe 44 PID 2148 wrote to memory of 2100 2148 Ccgnelll.exe 44 PID 2148 wrote to memory of 2100 2148 Ccgnelll.exe 44 PID 2100 wrote to memory of 2180 2100 Djafaf32.exe 45 PID 2100 wrote to memory of 2180 2100 Djafaf32.exe 45 PID 2100 wrote to memory of 2180 2100 Djafaf32.exe 45 PID 2100 wrote to memory of 2180 2100 Djafaf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe"C:\Users\Admin\AppData\Local\Temp\d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Bknmok32.exeC:\Windows\system32\Bknmok32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Dnjalhpp.exeC:\Windows\system32\Dnjalhpp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Flnndp32.exeC:\Windows\system32\Flnndp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 14048⤵
- Program crash
PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD59bd7494328d0877ce158e6429e55d390
SHA116f183308ee36d3c95e70d9013279ac0ef017422
SHA2564be80d6f4b8d3a0d149b9e1ea9210a12841b0528eb697dc4f995dc10e0747117
SHA512e790261ee7077156922474e1a26a9f94c689f9b2eda2eed734cf2b6a9a4693591a64951c3c80e3a3a54e35d488fa2533ed7cad94b4884b7504bd08dd54a37bb5
-
Filesize
302KB
MD5b668640b2e384da54c3774576108a449
SHA151c017aac3f8f8db3a6fafd906e81f9bce0607a3
SHA25642ee39485e5b0450e96403f1fa556698475ca65db09cb9ee6ae1dd9ca6f1fb4d
SHA512e61daa4a3fa3b1b8fdb026e2957f1936c5afab937ad61e26cb2c47775c17196202c4ceb5f368e9b464b114d35387819971a7d9c5cd1a203774de1de39f86d9c0
-
Filesize
302KB
MD5df434138ff82d71dfbb3333c8e505ddf
SHA1f0d3618e2f8c0b6beb2a9b9ce811f67ec9d989e1
SHA256fd1903fc05c6b9bedc1dcf293efe522ac79428bc057205fabd8a2a377e727bde
SHA51239e1dbfc80c7cc280963961b7be190713a6490a1aa0391a38e13b53babd5f6605d8621cedbae6f724376fd061be4854d410a05fb5c5075e48c2f88ffebefee52
-
Filesize
302KB
MD5619123496832540d2a392d9d32eaa609
SHA1c61ffaccea45d703dd50e017f03d1f9bf4596ff4
SHA256d1a9cac025a21df22ee153d4374da502f9c95e1b035ed07bde2460ff5a2296bd
SHA512aa383d6d4ff3fe4b48f9cdaffc0b1f0acde58b641a0db1c7982895dc46902f41f4a7c62535cbc5966f8695c309471dbaf541f8ec46a6ea7697ae421babc1ee0a
-
Filesize
302KB
MD597b886b26e33fb2bc9c814b4312de8bd
SHA1aa95a31de679b4620cfef5f9775c5efba41edd9f
SHA256c016188e5a99493a8473dd3c8a804c70bf57e19723a7b124acf2cb4ace960b8e
SHA51292d87a641e025c16eb370383d5c31aa30f6ca0b09a785eeaf03f84998f1319ce143700321fdbd8476c72035bc6b4f30a1d4ed51c0f16bfdf0501598ca0f8fc26
-
Filesize
302KB
MD5aed5c9296b4792f5228d9c5aac4ea6ae
SHA19ea1f81aa3b79bf3d9f2db2adfa0fd8845e5853f
SHA256d7b7919f2ac17169909c5f6e447bd17fc8429804dacfbd1a03884e569fef3c7a
SHA5124af34c64fbda3fe57f9cd2a176ff601fca04ea07d4051c026a1aceaaa48962a2c82d692b0d9d4084e69ef684317acbd187fa002ab6c73732b90232bed41a0eb0
-
Filesize
302KB
MD553082c5a5798361dcd43aff6e10d8e96
SHA1b29bfbcfcc7d72bdb2e51fb697cce70d10245128
SHA256d10775326ef2d7ceff88ce88eddf94d521eb834e0aac7629277d4b61411d4056
SHA512437f528584232a8408b441c07909be1e16f283a0ec4f87c10a77e639898132d9a80b1a06d30450c4cc7199b37d6fbda4f321d23da1ee99a62e306d76e20662ce
-
Filesize
302KB
MD54f6e4f5008fd192bfa577f0446adb74c
SHA153fb7324e59a07647ba62cc5f59723eb461413ac
SHA2567aec9ba668990501d0bc65fcad272d35e8a9904e232ef0cf26f4cfd68940d8af
SHA512a1e322413d765468954a46bdd88df28c87845aedd40a376bff7a392b49045dbcfb39d914925ea3058021393bac522a7c52deb7185a70718b620411660885f7ee
-
Filesize
302KB
MD598f119a395fe6fa81cb05f4b0023cb60
SHA1c0982f432e0df7caa907c3d2d9069a61db58c2c0
SHA256f8f85f44acd52a365b57955e8391ce88bd051fa6db3e2364c12231360c38e98e
SHA51281b59b327570aca321743d8296b17788aefd38bbfd290206f21ebdf226b36ce81c78dbeda452c1d776e4abe3c53cb5988153cb814346da14037432382bae4af7
-
Filesize
302KB
MD5ad4ba6475298fef744d9873af5e359b1
SHA13cfe325760e55c5060e35275c752dac53218935c
SHA25688d9e614598740b1760e81c8678ae4d5fd54173fdc7eba5cb49247f2373271b0
SHA512ff61f05ba45eccf076995c934300de3b6ab144a8ff37117cef193fd9da7723f5792efd254bf2f8dff1b2c17b4855c59a0bfde3990f31ce378cc5f648407a69d5
-
Filesize
302KB
MD5954f74aeb4a9c2e57c527847d1bd079c
SHA13fa314b47f230b4540d7063156349ff34acbbcbb
SHA2566daaa308e24cdd22e091f80b9c699693fa0d59757ca4208bafaabf6bbaa1e933
SHA5122f3bfdf30c8c9994080f8857d58098d1dbdd2c1b712392dfbec308e4635e2279eb6e5b0b4fd3cb376c164bf4e410d24934946268d4178df836db1a4f5e37456f
-
Filesize
302KB
MD53370d89a1b63671a025dead0f820d901
SHA1992232ef79157b8a8c72b3d10420b63868f78b03
SHA256db6b1962f035690429dabeee8851a05105db86e3acbcbe3b92ceaed724b2a3cd
SHA512266a9e4de5bc6f8a7e460ffb6529132a8d7177f7311963aa2e0aa043f2a8585db781224384df88606d70ea35007b368fea0affbfaa3325a3ef1931ba0d665ac3
-
Filesize
302KB
MD51c600c1d0e1d678704cf69c025e9010b
SHA151f2a79540eb9b90e4b0fc1d81243f4c06a11b65
SHA256234b7dec9fea8f35cab85e5359e27eb768b48ca5a17e046b310b919d35c1eb51
SHA51298e34241711fb474dc43ec1a7d6e8c5a36349c23087d4b27a6d2e9ae49950bc7a1970bcd7d3b9b4b376aab531202246bd2766ff721f8377f82b734c713c46d8b
-
Filesize
302KB
MD5f807a8f04bebc4f14395eb5734bb50b3
SHA12abe1bd9b8cedbc577909abf5441b4814897c420
SHA256fe0144d1b40e737f79647726109249b1e094c2c7dcbec0e52538b5d3b833c5f8
SHA5126ff582fd6b82ac01d1caf7d1b2372d4a4acd63335912ac216215feb86620f8476577c630d4e5d595466e2a4984911bd2422868f7e104f6eb9521c14143734f53
-
Filesize
302KB
MD5d323ba7654ec1294c3f8bf7cd3727ac5
SHA1bdfb2b9082468c049436db7170f1e83907cfe819
SHA256be51cbe9c656e01014f89b05d259afa76bb4dd1da649348b4379f19ccdda8024
SHA512fb60d64a80833945e1474521f17d0a226f3c5cbc2249b8a996aacf439164f199905b5467fa8a7ce4db63d7b4006f8147cd6d252e39d3c4b31b23b76b7de37070
-
Filesize
302KB
MD54b87f9947f5b8d55aa2d1e82541c6194
SHA1dd47a22893b581a962de3fcc905649b3157f2adb
SHA256616d92e0e6e72d44bebc26c6128c333374d9d065851ee5c1d69ff1d7d816b489
SHA5123c2656fac088fd8f292b59b8b8c1149d82ed8b1b934f0b16e6908befa59635e72290cdaa76f753e72e14b4377d897db28e4e865cae9da44851c13a8c3857d5b7
-
Filesize
302KB
MD5383eac688446ff24c883bcdc125d6952
SHA13a490d37743af961b56d4e4157be39e0808fef43
SHA256b966877fe0a75ab15c79695054a9bcbeedcaaa6e9ad35803aaf89e5ab5b89023
SHA512e2f50c6a701c48fa499afff50c43446a854899287b2e33458eee0ff50ec71ec0a22fbed8f51df3465288859d0862ebfa9e304494a731bd95f99d16649b77d31f
-
Filesize
302KB
MD57e7c617fd9c97b8834ca98ce37a19345
SHA187d3a4e223cb9ecc876ce2e92c972aeba7bbd016
SHA256f69c57af17fb69437a30bcc800d52fe7f4101da4343a9e206514844bb556e64f
SHA51224ee404732bc7913f05269a9d415eb3ddd063fbd9ff681ff63fa32d0f393d57a77750b4dc8b529e11f9230691d5425fe8e8f9aa1ace9034e2e6b82d704450b85
-
Filesize
302KB
MD5c307ce74fc1e5cc207067884fe058e33
SHA17c70ee4d6dbf518215ab8d7089dc1fd4b27d39f8
SHA256b47fab85db2a281e59fbeb92c81ea9e8229b553149936e159d9971e9d1c597bf
SHA512e2cafd7c4b9d3511fdfa2d4b0cacb8fd74390c0fb60f0665dc7145fa196615cedbd51691d7fa50d9af379e658c39f5dd4829bd36ed4090de461ffa3f311598c1
-
Filesize
302KB
MD516126f3b6a55b0bcc81ff571ad17b099
SHA1312364e15bc67f76829c1b5ac917b3378c17479e
SHA256987b600f30818749413e542122e9845f9bcaf62591c413a97dda593d36db2b9c
SHA5129a87e2fe9d95aea37d2247841a42a3165d93e7ec1093efcc5ae80598e7e91ad98814ba8c0b74e01850c67ec019dd135dbaba415824aa6b5e374d04a8f45dbcdf
-
Filesize
302KB
MD5744226e934417307da49524d0f742b2e
SHA1be96bff7f5e3a2cdc14260ffacccdbadc1832f8f
SHA2566bbc8c7a2235ab75d6749ac518757a2cf4d884c5d630e63076d7b564f50ef16b
SHA512eeb7a90f1035a9224daaf50527fe43a24d3d67ab231fcff6aeeef1f567624f456596c843a3c514c72f8558b719b1649e437cb443f34f77d03c258bf66041f6db
-
Filesize
302KB
MD5ce8f6bb4676367d8997e9a69115a825c
SHA168b7eff5b76fd592c9e0c2abdcb49640210cd73c
SHA25689ed2b271562ab217365630d793f171147b847915c5ce06bf0832372b9beb236
SHA512fcbdb559914b42dbc19c7c87c72393b5787cd40099b83cf96f064802247e59785ca0cfc839e0113db47668e5b81290b034a64bd94dd5bf449a711137c7498652
-
Filesize
302KB
MD55a597451e8716feaa007d9363f39e22b
SHA11b58c287cf4bd6eca59e7cf69477aa410f7dd54d
SHA256029389394709dc34c412421a586fd6ee90b2c96fd654ea23db6766bd0e055d44
SHA512ae3b5ff09e7637f3bab3f2b8c6fdf84f2a0ba3620ab850e080da696c1027777dd42fd42453eea32aa7a1ccc2cb307cf6ef2423be35b29d1c9b1e69c47c516641
-
Filesize
302KB
MD5b8273df7cacf6caf37c12a59665c4dbe
SHA11d4538f75062a546db89cdfa3840ae02128eafed
SHA256947548d7af951948c2614ef204667abf7bd7c366f1668e2df6c16ff42fd5eb47
SHA5120799d35538db97e0be202105a60e853602024bfb28533690c93473267f93cb0f52baef4d70fde71a8c87785e62b5599f152761de4f49cff188b05e6f59e21275
-
Filesize
302KB
MD567bc4255127400582d4a9264d9f6a424
SHA13a922af65a75c702d904dbe22f9eae2330d6f24d
SHA2567cf83b65bd29d21e42b740da3b67b7e739075766fd6c30308a9eae00dcfc6f95
SHA512ad8160a860c7130747adfd48da52d134b1e5ee80e1aa8229f0e795e1948b7f7cb071af5cf8c9c51a8f87bec37913ec8babfe5ef6041058ba03094cc0ff2001a0
-
Filesize
302KB
MD5d06a3593ba44d9f219e6d66b0d8f759d
SHA1f05dc33a0f44f8ee935b0316dd85d170cdbf756b
SHA256ffac58186414d0528b57a8b26bd07dc698c1b7c98ddc60a0776e8f1049537da3
SHA512d29d43672931baa8e4e3400dc4aed9a2a3ba68dcec66f9afdf0c31e11b0d178ef70bc1fa76ed8e1cf63c2c4c68f68115a192a62a847c61238e6223a4ba9959f6
-
Filesize
302KB
MD57b92f59d163beaf8134d8a7ee4292106
SHA11027cd52eb8e884dc9c9e02b041eae00d1526dc8
SHA2564aadab53625684e7323374ee80f7fa99a9cfc79819bfdc853941304fa42535cb
SHA5124a6601fd58e711eb3f5aaf91939af38f991bb20690bfa94719cc066abd7feca7ddd2610173264bd2d226956216a140c6455f980a1dd97418f055cba405ff8b32
-
Filesize
302KB
MD5bac1961b6f4ef8f84f4df5c31a529cae
SHA16bd65968b4997ead47c7859a752e778fbe2b1b4a
SHA256aa62bae603a44cf3b7aa88b75149f9e3c4177c21da72ac0d723803c041d0ce26
SHA5129a4ccf79af378e075cf9215eda5fc28c2d7778ddcd23ef557b685471e63dc5e411d06e4e7e58e1574b8d25ba2cc578e5bd1555499689183bdbdd2ce7174e053a
-
Filesize
302KB
MD51e5cf51d11b4ea9dc6df3839be5a5967
SHA168482bf6538ed537f3558bd6583d9d44574b6a2c
SHA2564b0ec931d7162028d3e11dc91aca2db7d5c677834b19b64d6821e0fc49097992
SHA5125ca80c6daffbce75400b628a43405ddede042abb3ef6f928cc5507669dee2dd881a74426e721349e609b3c74ae21c18c06010b46d8497e5f6028046541f32df5
-
Filesize
302KB
MD51e6fdae1dec8ade5456559cb108ae2ca
SHA178437394d82b0d4d7671269cdae087d929a4c9ac
SHA25687e8b608bc72eeaa6092f37de59c40edd1172211ce6f348d3eea6595688749f4
SHA512da32788d026dfb4080f5317d38c7a4b550a74115aecf51f13b41028ba03a9cbc08cd4a3bed8eb781c542613b2a6e6cb14760bf00409516fea75af409ee8b66d4
-
Filesize
302KB
MD5673ef7a940b1ebc662dc1530e1efef7d
SHA14464e84813503207a82decbfb9f933a2ababaaa6
SHA2567e1f475651d72ac7f7ec38eaa38fb7c27519190867d55c820dd32150f59d4fdf
SHA5127879f0c764ad275b74a747a07a890756833ae9a3066b167271c27c481c920e95283bd3b19e9c4be232ec59638e6f6fd4593bf0aea1f3ed2cf4792e7b938027f9
-
Filesize
302KB
MD5a429dd24dfe5b38c7d9fa8048afd0649
SHA1ac476831e69ce32389da911e5fd32ef72a60d593
SHA256d141778557bfdfec37ccad171fc71ad78c8522b8a712138529565f6f4ea2c673
SHA5129dc01b0bb4fb54939d371fd63a55caf4ec0623d64cd33c217c9cb89d894e4d7c681f0237f5c7f5d51ec074cbbfd2087267e4e0deb7920cf38be2a0f23e71fb96
-
Filesize
302KB
MD589a0fb9af4c91aa1b7557873bfdc7548
SHA1275170871d5edcf0f9dc5492c45c4dfcb8bf28e6
SHA25634735aab0542e6a03a5152746fc17012c7e59fe00c5d612a5ed0b4dc05c4e0a1
SHA512a62214a43bc0cd25039de07ee00b264d089862734a9de41ea95e186dad9f2a0fbf7d89959df3e51cfb3d6ad0756281c5dca89a73d25855dc4c46d1aac0816c67
-
Filesize
302KB
MD596e73f9a3131b279278e9c9fab244c02
SHA1b6f04833c3d8e59dd18efa25713e24ebdb7324bc
SHA256aec6c0f1f572197ce6241954907a7119f1bbe98c403066c998333bbb1dcc8110
SHA5127bd928150eee376bc63d4d59eb32239ac530548b0308f269150d729eae76e3c7dbb70bceeda32c9ffc9ea9df7e187c7c332932ca89baac60987c02418197fa4c
-
Filesize
302KB
MD5b402bba1cd6a1e293905066c774fdb1f
SHA124889ef2509927fcaee539680719b5a89b86755d
SHA256eca586f6e73081e9531c718fbd25d9336c0a3af492f3b92f6b4b40c00dd08d10
SHA51272586b57ebbdd30e7e83087490604dd0adea14d29fa3b51821bd0abe884404770cbcd3971bda804afacbe934c13b838b5cb595cda34a5095ad6c77d341261f5b
-
Filesize
302KB
MD59a96c1427d06049cd2a157a96a9029dd
SHA17fbc6ee6ecd47ee667ae2bec1f0d0f258b888361
SHA25695509327c40400fc38e2251998508d42d34fff050679bf4ee0319c5a71622645
SHA512355f95d1cfc74fa8c99774a4a10c745c55796208c88e4bf77cbf15447fca1ba4ef1c24248c09265c32b29219f63b8eb259e4aeab421515595991b8de9e068df7
-
Filesize
302KB
MD5371983627350e6abec702093ac7db077
SHA1aaec09ba797d7ce479d3f7e2b5171adf3b47d5a6
SHA256bd4aa32bef400680086d7759077b9845df5145fafedcaac763fd0f62778822ff
SHA512070f4b1daa7239762d833d0bf9a1bbdaffafcf1374fd59fb871b5dd591fc688f8e079cf8aaf2864555a3ebf6ebb767477404cea27898e1738222709cef2107ef
-
Filesize
302KB
MD570d768cb8f0cb2bfa117ccdfae0ca9b0
SHA1c71b45802c61afacddffbffcd71de8c758d13b3b
SHA256042abc4266717097a3beeac94d3cbd88cc0fa683dde392b6498f83b3596c6317
SHA512731297e5541ec596cf3dca452f0bb5c03705c32f9f68e729ee094e63a84dc89b5e75c1837987910eda1553b0b62132997929e06f2b29bcfdc7235b6d1b249d3a
-
Filesize
302KB
MD5cc073e7445146f406c328e5069016480
SHA15d4194b29780411683761f719af6d7128196b540
SHA25688667352b61a495777e62d95c24f9b648375a00e2b6042208dff6eca4c846727
SHA512017c95f7564d258e4b6ec3f56dc22ec1a3a01a8004739b63af2aaf5f650aeab264a45430217c27db8f177db7fc2dcf4da77f353226989ccd9ed389961f0eb214
-
Filesize
302KB
MD55cc8b93ed536e56f002ae15c3f769691
SHA11de0d2fb023ea8e01117c963d32720b39576f6f5
SHA2567e29b8c84179bfc152d9114b501a8aa6bfeec139b29cec1540b31b36bbad13ad
SHA512d3efe0a00fac4382756026d5014d9fc4a96943a7f879064813642dc1fc118a2417d077b6f94d846c24e304047edfccb6517824c1336b77c6c86a7ae5069b3caa
-
Filesize
302KB
MD5d1b60a06f61101d9e3c330c1c0f64744
SHA1253ba7c9e0907c06374ed9979bcd541a85966a80
SHA2566442fe41d713b123678e31a9dbe6799c872cf58e0bdbb83077245af8da9e4367
SHA5120c3ac87a7ddb11d3dd382572f6a752b79fd70aab7e2fa050766882532e36da9419cfce00efadd8175f296844cae32ac2b23967f938122012ff873e376900f2a9
-
Filesize
302KB
MD55b6501cd6e6c93cd07e7e532128c80e2
SHA147a8e853aa019ff396312dc9fbeff4b13a6cfdc2
SHA256495673661c1c59c7d24c0a0c4585bf826e4c0d3b52148e7132ac294af078f1fc
SHA5127c7a1058a6a4a7432c863785f39a5099cc1392650f6a3824c31d16feaf17e92a395a7d11d5d5854249695328f911ed7c97d643b94d74c1fc7ce67c641c71b8d5
-
Filesize
302KB
MD5cf8b21490f8720f3d862549dac4a9154
SHA19c14e83593474b309e3f4d6ecd38efe603b75e08
SHA2567e67a8f6b894aeacf6c92a287e23997c31a82adae1f7fcff5aa50af9af71f208
SHA51218e2ddbfe00a548560a512bc64d74a4950d4b91a7d8e89f9187569b18003174a05baaf6a2e2141cba75f974a6d03fecfe928d504f6bebc45f68f6f9c87f91297
-
Filesize
302KB
MD553b300f2c5a5d0dd3330db5e66113e85
SHA110c37a51a7b8e6ec90a223ef2638d5b7b50b17bc
SHA2563f6a26463888d6f7f9d3e8b7a7cc5253b434d7602251ab6a5b4205080930a6fa
SHA512375d89ee7f998b3dddb20ad7bccf856b0a37d4998c824e6d0a71845a4c4c8a9d00c9fcb385b1134402f0cecf1c92a280cdb936cfd7aae1c0c79d1a12e73d77e1
-
Filesize
302KB
MD51f6b4d8706dfd941607ed9181b45bf84
SHA1af0b475e87d0f2486879c393754621b2bfacb0d3
SHA2568c1bd39bd4c51e95ded9219b0c3b965fabceb6353c9925dd999bf434de457caf
SHA512abda2a23c7b7f3ba55dc73a93439a1668703b01227c79ad910c82714972dc341f6fdb3bd019236bed0e651d203143f0d673bd2141d9872f9ffd06cb7e4f301c0
-
Filesize
7KB
MD5410758e8d947261d2b595064fce531e3
SHA1a8202baf330a9bb8245b296dcd134da9c81f8f9e
SHA256e3f5e8aeff436682b73e95fa2678cd0a1380905e8a7d1f2225b531c94e8038ab
SHA51248057e1f7742d6178e9b73ced7d67044c3069f451c66e8ed0558968418c874f84a7a66c1c071692075dc4a1674759072f5aa06006a33ff2ea4d98989c69278a3
-
Filesize
302KB
MD5c738ebbff3b5544a9242d91f1b63671e
SHA1db8cc1d3e8dd334624ea307a5edf8af58231fee7
SHA25661cb53c596952478eea49ec83172b105dd9c35d741b7ae483fd46c65de068faf
SHA5124b1282c121dafa020807279cb268b32bf37a3cd83ca965b341f00f55e4ef49101b131f83967388c3f636ff4803b9cd587af184318f3a3e3c388e7a44a078504e