Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 19:55
Behavioral task
behavioral1
Sample
341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe
Resource
win7-20240903-en
General
-
Target
341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe
-
Size
93KB
-
MD5
56e8fd1e5e63cd86a316795080500010
-
SHA1
ebc4c0f4c6f883f99e3d4fb6948717fd0d64584f
-
SHA256
341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fec
-
SHA512
aaeab82f8f36500119d4dbfbf653f56ffd75404d760d620e37b92ee5034dcb80034ff0cce50ff4986e1c5f9c2de7a760bdd0ee89e283539f016ac2172977aa88
-
SSDEEP
1536:1XJmcYwJcpAHyAoiOFJcPJw1DaYfMZRWuLsV+1b:1XJvcCHyu1PWgYfc0DV+1b
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmndlge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 29 IoCs
pid Process 3456 Beihma32.exe 1524 Bhhdil32.exe 1444 Bnbmefbg.exe 3864 Bmemac32.exe 1068 Chjaol32.exe 1156 Cndikf32.exe 3980 Cenahpha.exe 3696 Chmndlge.exe 700 Cnffqf32.exe 4876 Ceqnmpfo.exe 3896 Cfbkeh32.exe 744 Cagobalc.exe 5100 Cfdhkhjj.exe 3536 Cmnpgb32.exe 2220 Cdhhdlid.exe 2952 Cjbpaf32.exe 4844 Calhnpgn.exe 1776 Dfiafg32.exe 5088 Dmcibama.exe 1324 Danecp32.exe 724 Dfknkg32.exe 1644 Dmefhako.exe 4584 Ddonekbl.exe 4440 Dfnjafap.exe 2712 Ddakjkqi.exe 3036 Dmjocp32.exe 2668 Deagdn32.exe 1996 Dknpmdfc.exe 4312 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Beihma32.exe 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe File opened for modification C:\Windows\SysWOW64\Bmemac32.exe Bnbmefbg.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Ceqnmpfo.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Dmefhako.exe File created C:\Windows\SysWOW64\Cagobalc.exe Cfbkeh32.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Kkmjgool.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Cenahpha.exe Cndikf32.exe File created C:\Windows\SysWOW64\Calhnpgn.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Dmcibama.exe Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Deagdn32.exe Dmjocp32.exe File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Dfiafg32.exe Calhnpgn.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Chjaol32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Cnffqf32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dmcibama.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Deagdn32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Deagdn32.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Bhhdil32.exe File created C:\Windows\SysWOW64\Cfbkeh32.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Echdno32.dll Cfbkeh32.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Gblnkg32.dll 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File created C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Danecp32.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File created C:\Windows\SysWOW64\Bnbmefbg.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Bmemac32.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Cnffqf32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Lfjhbihm.dll Chmndlge.exe File created C:\Windows\SysWOW64\Chjaol32.exe Bmemac32.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cfdhkhjj.exe File created C:\Windows\SysWOW64\Cjbpaf32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Deagdn32.exe File created C:\Windows\SysWOW64\Mkijij32.dll Cndikf32.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Cagobalc.exe File created C:\Windows\SysWOW64\Cdhhdlid.exe Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Mogqfgka.dll Bnbmefbg.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1340 4312 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" Chmndlge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmndlge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll" 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnffqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beihma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 3456 2968 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe 82 PID 2968 wrote to memory of 3456 2968 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe 82 PID 2968 wrote to memory of 3456 2968 341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe 82 PID 3456 wrote to memory of 1524 3456 Beihma32.exe 83 PID 3456 wrote to memory of 1524 3456 Beihma32.exe 83 PID 3456 wrote to memory of 1524 3456 Beihma32.exe 83 PID 1524 wrote to memory of 1444 1524 Bhhdil32.exe 84 PID 1524 wrote to memory of 1444 1524 Bhhdil32.exe 84 PID 1524 wrote to memory of 1444 1524 Bhhdil32.exe 84 PID 1444 wrote to memory of 3864 1444 Bnbmefbg.exe 85 PID 1444 wrote to memory of 3864 1444 Bnbmefbg.exe 85 PID 1444 wrote to memory of 3864 1444 Bnbmefbg.exe 85 PID 3864 wrote to memory of 1068 3864 Bmemac32.exe 86 PID 3864 wrote to memory of 1068 3864 Bmemac32.exe 86 PID 3864 wrote to memory of 1068 3864 Bmemac32.exe 86 PID 1068 wrote to memory of 1156 1068 Chjaol32.exe 87 PID 1068 wrote to memory of 1156 1068 Chjaol32.exe 87 PID 1068 wrote to memory of 1156 1068 Chjaol32.exe 87 PID 1156 wrote to memory of 3980 1156 Cndikf32.exe 88 PID 1156 wrote to memory of 3980 1156 Cndikf32.exe 88 PID 1156 wrote to memory of 3980 1156 Cndikf32.exe 88 PID 3980 wrote to memory of 3696 3980 Cenahpha.exe 89 PID 3980 wrote to memory of 3696 3980 Cenahpha.exe 89 PID 3980 wrote to memory of 3696 3980 Cenahpha.exe 89 PID 3696 wrote to memory of 700 3696 Chmndlge.exe 90 PID 3696 wrote to memory of 700 3696 Chmndlge.exe 90 PID 3696 wrote to memory of 700 3696 Chmndlge.exe 90 PID 700 wrote to memory of 4876 700 Cnffqf32.exe 91 PID 700 wrote to memory of 4876 700 Cnffqf32.exe 91 PID 700 wrote to memory of 4876 700 Cnffqf32.exe 91 PID 4876 wrote to memory of 3896 4876 Ceqnmpfo.exe 92 PID 4876 wrote to memory of 3896 4876 Ceqnmpfo.exe 92 PID 4876 wrote to memory of 3896 4876 Ceqnmpfo.exe 92 PID 3896 wrote to memory of 744 3896 Cfbkeh32.exe 93 PID 3896 wrote to memory of 744 3896 Cfbkeh32.exe 93 PID 3896 wrote to memory of 744 3896 Cfbkeh32.exe 93 PID 744 wrote to memory of 5100 744 Cagobalc.exe 94 PID 744 wrote to memory of 5100 744 Cagobalc.exe 94 PID 744 wrote to memory of 5100 744 Cagobalc.exe 94 PID 5100 wrote to memory of 3536 5100 Cfdhkhjj.exe 95 PID 5100 wrote to memory of 3536 5100 Cfdhkhjj.exe 95 PID 5100 wrote to memory of 3536 5100 Cfdhkhjj.exe 95 PID 3536 wrote to memory of 2220 3536 Cmnpgb32.exe 96 PID 3536 wrote to memory of 2220 3536 Cmnpgb32.exe 96 PID 3536 wrote to memory of 2220 3536 Cmnpgb32.exe 96 PID 2220 wrote to memory of 2952 2220 Cdhhdlid.exe 97 PID 2220 wrote to memory of 2952 2220 Cdhhdlid.exe 97 PID 2220 wrote to memory of 2952 2220 Cdhhdlid.exe 97 PID 2952 wrote to memory of 4844 2952 Cjbpaf32.exe 98 PID 2952 wrote to memory of 4844 2952 Cjbpaf32.exe 98 PID 2952 wrote to memory of 4844 2952 Cjbpaf32.exe 98 PID 4844 wrote to memory of 1776 4844 Calhnpgn.exe 99 PID 4844 wrote to memory of 1776 4844 Calhnpgn.exe 99 PID 4844 wrote to memory of 1776 4844 Calhnpgn.exe 99 PID 1776 wrote to memory of 5088 1776 Dfiafg32.exe 100 PID 1776 wrote to memory of 5088 1776 Dfiafg32.exe 100 PID 1776 wrote to memory of 5088 1776 Dfiafg32.exe 100 PID 5088 wrote to memory of 1324 5088 Dmcibama.exe 101 PID 5088 wrote to memory of 1324 5088 Dmcibama.exe 101 PID 5088 wrote to memory of 1324 5088 Dmcibama.exe 101 PID 1324 wrote to memory of 724 1324 Danecp32.exe 102 PID 1324 wrote to memory of 724 1324 Danecp32.exe 102 PID 1324 wrote to memory of 724 1324 Danecp32.exe 102 PID 724 wrote to memory of 1644 724 Dfknkg32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe"C:\Users\Admin\AppData\Local\Temp\341e2c13065bb4b04dd52a4aea21ed77a76ff8174d68b0c3a6bc1311fe963fecN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 21231⤵
- Program crash
PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4312 -ip 43121⤵PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5faa7eef852a86bba4d4cce66f7752e0b
SHA13d429e1046f683ab79253986ad9c7b27f842c183
SHA256bf519a312e51cf56a7699edd1615cb3891f57f299838c72d72614443e55c681b
SHA51213d9c547632ad029f38ca0ac93275f80f2b4987911e3b06ff227955613ec1c70a791d5e6a4e5e68b74ea59bff6886ae74debcdfdbb31a964b1f49089219ef2aa
-
Filesize
93KB
MD5e51a0bf5b13c3fc7dc22623d62ad263a
SHA1bc6f330dcd44f6547e2d265924f357b2eca7e1b2
SHA2567bef73c93c72227bd6a53355a76b4c5699913cad9e2285024d5a721a826094a9
SHA51286a3b0d3b481399bca92afa4439ad2756270673187f2a630b1598b415fb3955d8ad1e493712fb683c1b81c2d3ed5a96bdd11b33179505bd139140bfb878c7790
-
Filesize
93KB
MD519ab77511faf1e960007cb73acb2c4b3
SHA1fd3bee8946d210e463ec48edf55dd7d863b0b74b
SHA2563282163fdb1d988dd6b9c2c4b87586fcdccb447e128f3265304832c0af344c29
SHA51272af8983c703cca852c12ea97d9f522463c1efa035184511ade1a0d00c4abeb37001c493ae21cef838343b8acc34054d54534e724253d17560bf7ce480e5a520
-
Filesize
93KB
MD5d7003e3b0b6eafe5eeae04f3ba4a0cbe
SHA11341f7da1e8313131b20b4f3bf87b501e5f6cbf5
SHA25620229dc11d870a9c8369843004391ec3d0d20fead3889ae6d2349ddb7e69fc37
SHA512922bdb3a6a2f6fdda86db03ef6b3128a87f9898728d06af5064058d1cbb6d93da3b0fa84974c19d4d734ead6da23d4d05ac0c9545aff252d5759a7ec743f7b9f
-
Filesize
93KB
MD56cb383f346511cd16a25f30011e84371
SHA1e2ef51fbc3da16857526b4b952a40a2bb8ee9c6a
SHA2564fbc24fd86ec4aef0895610e0c3d241a1766de902561fc8175d90cefa9ab8474
SHA5125e79f1eacb3e1b264ec9e7bfe46ef3ae7ba7ae305173fc8b21ab46ac2724e5aa39629526529664986febecf29ffdf4e22e1c263fed0e51af60d206f7cad13b51
-
Filesize
93KB
MD558af7c48ecafd15890447095b6c18403
SHA17f5aa778482205330eae2f0f4635988257aefe12
SHA2560fab891c692d4db2c761cbf92a4b55890eca2af69f27ca01a1faeb97382416f4
SHA51258fb260b499f2ad61cdc351d176fb227af3e51b1b7e1ebb8e67fb4fe3a5cf14d5288fab9506cb347cb49a2949c1c8bb7634ee4861cab1b597984b494ecb67aff
-
Filesize
93KB
MD5a5ff7b67c0f1e215427242ee5b49aa6e
SHA1bea9b62e24c41ae95a06b3d2bc97196784b359bd
SHA256696be6a22a4b82a63013eba99bd47d2b49b30f96d9532ca101ff48f7534fc155
SHA51252a44bb8d9954b4f390f26f0b08d94e63641201d850ac4648f5d804b8ae112837d3c7c76df5c1dd6aa078b613d35aedfa5c98851b9d595e192cd318c5fb82d5b
-
Filesize
93KB
MD5da4d368ae2abe519e750204d141f6518
SHA1132e9cc7fab330e0e5e4e60414c61cdce0131b50
SHA256f3689f49894a82f475763b23ca96af1852bab981c58dfdd50d260ae0d772ec22
SHA5120ec7948817c5c53ac341f3d36770012dbb342e84400a6c0b4c326aaa0bfcd7b7d43dcf87206f2b90ff49d96f517fa6a13aa19cfa8645733663fce568d5e47843
-
Filesize
93KB
MD53e4dd2d0c7d02d323a75366d2f4410df
SHA1677cba59b139100efa9b4cbb2eeb9ae3bf89ab2b
SHA256f567cbe685e77071f6a476cf9971ba517b2db374612e037b1fb576cb8d4f4e4b
SHA512d3efdb41e511a3b31fe3b00561ae31089c1c28c9a5bbe13447f80533f734cde37a9b791203430dc209b8cb9d028ee0eedad8d63a79e4dc120ff539de3bd5d2f1
-
Filesize
93KB
MD55e8e719514300182f0ef65558b61153c
SHA1079be59b33ff0eca89e78879a121cad5b48bf943
SHA2564b21b929ff391cb97b1d367b36753102dba1623536d6036f178bae95020a19dc
SHA5126abacfd21c13004ef26bccd23db6d0e9abe9c7e721c58344c8ce92aecdc20b9df8782e50554ec6e798996712f5790bd258c950741550483a67a001284b503be9
-
Filesize
93KB
MD584244ab75bcf8c0f3b140935f0556a8c
SHA1263668c0b65635332d04384918be4c9d856c9eb1
SHA2569df9257e8936247aa67639024d1818b7bb4e3234baed04396ea7eab559ecc78b
SHA5129e9c78989998ac5bf55e15a49bcce059fe6e72dcce7bdb3165c0e9a21b3b0edc8502229a3e157237d9cbcb980c5eafc14931046b0f96a9c7411bc0a3e9a1c5f4
-
Filesize
93KB
MD53ebf4c7263a032b7fbf1063eaae2f972
SHA11a5298b1971be10251da6f40adcc5e57527372cb
SHA2565f73c101666b8a44ae63229b1b73a9800c76d6519f9c114719362a1eb4ca3f6f
SHA5122f509ffc6b23a931b571a1c631479df8c6c9f152e8fd30150bfebeffe9c5cef868a21727cdc701267081fd9ee4a52fb6eff87602310c69b61225bd37f674b9bb
-
Filesize
93KB
MD510fd19ade1d0d89c822b387807efca78
SHA1935ef22520d60ce9ba7ed44b948e7f1cfd523708
SHA2562496e016ddbc36dd87defbd39ba1f6d3c3ea8cf0757882cc3a702a4faa8fee08
SHA512dbffc2386a9eb451cca30707a9141b147e81ba914981936478e0f57ef5c8036a28852a8c4f4fc61b56866fe882e635334e0e7f4729dd9e73390d778f92164cfe
-
Filesize
93KB
MD563635af7ef862fab817a94658571236f
SHA1d2668512d290ea75fdb7a98094261b42e0205a2c
SHA256d41542ee02e064c799f5ea27b4df08f4777c82306aa7e188b1169309c4abac50
SHA5127b3f302584bb214afa7a1d91609e836f80a267c1534950d46c950da8898f7fcef854c273176fe70d0bf692436c46fc3f32637c76b99a36d2d772a5c16def1819
-
Filesize
93KB
MD55bc2eba1a1f733f59a5aaf04c586dec5
SHA1434aaff110013a637cfe0d1665a1a818ef6c3e3d
SHA256566a16b1d3904d352f467bc45c7f7e4e6b7838d9bc87c7ab2cac343431ab6b63
SHA51287fbbb6d169fb3bf1264791b5bd390848dd7a0715c25d1935a60ae2a9f4c00be89a00b03563ccefd17738aaf74c1150637f6443f76915929a2aa7b7c9cbe0b16
-
Filesize
93KB
MD56e53fb48f9765dff18a9d3545cd0a20b
SHA15861db06d7d6024416ea009cd92011116c4d97f2
SHA256103a8d8300cb1f10e6bf47068d3bc9080ac7f3bb076b7effffdaa66c66c4c8f3
SHA5125207be68aa8927c75bff0efe09624fef20842b8524ae29d1fa30b404e20a966253cff548c2b9714e8d40a1cb177d97baa71b519e2084a6cb80c6acec217397eb
-
Filesize
93KB
MD5ba6c40c78da18e1d43e6bb7767bbf010
SHA195519bee7fb577c10ea8b4703811bda0eabbb1b8
SHA2568b1f8cf98db9777962fc474cde1be21352c126565120d5ed759b27def2086732
SHA512dd30ccc6692385e47cc87b174425334f4843ad2000b2b56bb9dd6dcc0fda0eba26a81a9e0b40a470304bd89b96840992a13b108da90e7135cf9a328c86277428
-
Filesize
93KB
MD59fffc3b5c4ac4901f33471be9de3744e
SHA1fb963fb018a6c431be69755ea304e07550319f9f
SHA25643e2802a883d634f97a5ee3b5949b4c76728c6dbadd19572b9d812ddf6fe6612
SHA5129f0475f6bcd90a88fa9f947512cedc81f82f1f7fe3ae149183c026a4ab1ab5786263a998ce2470c7035c3faa9c0e3f1b85c7fd8d40671582a0d7842db6cc7706
-
Filesize
93KB
MD59a0007a84825c379a4e48aa8de60be39
SHA10d9ebf66f6c019ffa0b644f26167cb274235a4a4
SHA256ef172abec993cd316f9fec8e4bf6b3644d4b5c10b69cca3a3941846820ef7949
SHA5120788f6e1865f137b555172f6e581245de2c84972b2c6953b2987da5256546608f19ac133dbb827ac4f6f90ff3ed416dacb27c7ef853fc87524724cf673aaf000
-
Filesize
93KB
MD5986502df474510957769efaa3176193b
SHA1160dcc100a95821f6193ecfc39db41c06a80212f
SHA256acfe8c5d71729974d3218e588e56e05acb04f5a97a51bb4cb28427d49c5dd678
SHA512d91c24e4297d960e75ec614947918abdeb32b0e80417178b4984020740de55650d18ff6a4778f930dc54b96b7601a194ca2d0f98a249720503ab448219ccba9c
-
Filesize
93KB
MD51efe18956e83dfc2ebcabe85c4399044
SHA1ec2b01ed1515d9440c6f46ff076b6abebc873a09
SHA2566fc8204fb18f1c7ab38211b3ff955d1bbe05c5aeaf61f645f8b28655f672e042
SHA512e46b722d1312a54f5a97e662ea21817df72e416a398b69ec7765257b9389b3d28f2811859bd6103be118747f2019e99b68bb17a7b0e5df0bdb89ba9eab9a7dc4
-
Filesize
93KB
MD59f68c0c2fe8a205263dcfaafb899c139
SHA1d75bff1206ddb94764e0817da9925f4abe9cb7aa
SHA25654c87b483a79115531b5b383ead72a114712525df2ced4ec7687f219cc66278d
SHA512241455b9258588b4670c1928699958047e9d0b09339129f86a357270f6a006d5c93b22ccb43d69a710989196e39c3a78cc40e2fc618ad11102b9ed2934e61f6d
-
Filesize
93KB
MD5ca52dfde8dfcea47cf1cfbbf6b9894fe
SHA1defb456b23ef7eb3060869dd2b38a652c217f03a
SHA25686e620ce47b2802b1372a3146c166add2422686db886a0e457b4f56701558bd6
SHA512015caf4e9cde548e6b79a060d2f015a35a722a202bc65548392fae8d15ca8aec1132d4e15c5d8e7d0e45ef90a93330b34efe51b2f807b7c559966cd9b72725d2
-
Filesize
93KB
MD5bb6b6dbf4fed05bfc9b9b13c9f982e9b
SHA127ad75bc13f2c05fcac229cd7482ed9d3ac604db
SHA256f2a9179021c44f5bcfe1b77b83331e38caccac33325aefad3b5ac85671ec0f1b
SHA512fc02ff7262c731353ae8b65da0f377e21fca1974d6574ca031aacaa4d07a6dc64769afcc97ce81429ac72b8a76d842b9caeb944712ccce75ddf5e9324dcd5ee0
-
Filesize
93KB
MD54ecc3339f89aa2f438bacdd660775a0f
SHA1fa1bd0ef2152a5fe6f7b2abe85a06d1a726b5b37
SHA256943ca2ef4911c246b842b9122a973d23dac9315d1f8b928bdb158c8fb03ebc7c
SHA5123e232802654cef15ddbbd9b638a3866e769de01f4010b906f7f7e085c4f20c4e39ebea8d83c2493bf606f28f41afeab0be5e0d0d695bd8604dd0e258d3e7fb0d
-
Filesize
93KB
MD5d80db3640b015a4039ccfc5b58595c21
SHA17209f73b19d8a1984ede60d0d0f074b6653519f6
SHA256a020b34832f11dcea85814cf5b6069e44ee881b6a38ef29755eb1b8f83c269e2
SHA512de662a3188b9a6dcbff75b90e8c507096dc7f0d0620759707ba947b17e09cd2f62b7d1fe4b0363a437bf3877bc7720d68b658f4afe53445fef4cf6515350f177
-
Filesize
93KB
MD5e1b2cf9cb59a095db7df3e86d22b7adc
SHA17a4193afc5bd8c653d2aaac4df1f9494bb267c10
SHA256930dbc1204ed7941d0198f067306d66e50038c4acf8ae2fa2fbef7e7fd72a4ef
SHA512bce9096585286dd96f911993b9aa813ee396e091b28de7e2bad75f0d4b166fb66b33814e37f7d0a8b6e8c9b7dfd2881fcc77038f8e8ae93c4d47fc1a6f137f3f
-
Filesize
93KB
MD58b90e63ce72ba6e7b2f0edf6c8abc685
SHA11a66680c46dee388a48004ddc84e35ca0047ad97
SHA2560b296a9481b10f1e6acd3d46bd098f35143146473cb43e2e668a8f849720e5ed
SHA5127f03be63e2fe25f2ebeff9c92c080aa20f1c1bb1b1a5a3b6fa8e5e2e1f0fb5bdd853ec98c36e61a61b6bba682e1adbae0cc5418ded462c47373d9a7d0d2573c2
-
Filesize
93KB
MD540720a539c12255187441307f3eca634
SHA19717bec179caee577a7a8b6c56b4c8f16a1c53e7
SHA256f1f58e08c60b1121074c31a84205501cc5a07711142de71e337fe107df395fc8
SHA51230c397619b18ed1d77cb020d03a7165aacd3497833dfd91058a063ebe55cc0382be231e0c1b361921edbebaa1a7df747d43a4a7b651de4ba771bb0db41a0efda