Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe
Resource
win10v2004-20241007-en
General
-
Target
09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe
-
Size
96KB
-
MD5
7715d63e9f2dfe8926f48d81bd019fdc
-
SHA1
a227fa00fd700cd76f6d137d182ea271b5ae10e5
-
SHA256
09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772
-
SHA512
3ba20bf1f64be8f9add3f879971e5ad8521a486ff9c2395fa03c5616e6affae49eeb165864eaf02e77037b4c6767359b83a33390c38f2d570e25ce73e6bd377d
-
SSDEEP
1536:/XEq82JQ8zdLj6APuHX9HzT7Qd9OyPFC/DQ6d+//BOmwCMy0QiLiizHNQNdq:/t8EV6AP+XBTQtPF8u5OmwCMyELiAHOi
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagobalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddhpjof.exe -
Berbew family
-
Executes dropped EXE 25 IoCs
pid Process 3832 Cjinkg32.exe 1180 Cenahpha.exe 2228 Chmndlge.exe 1264 Cmiflbel.exe 2324 Cdcoim32.exe 4688 Cfbkeh32.exe 4008 Cagobalc.exe 3124 Cdfkolkf.exe 1548 Cjpckf32.exe 3076 Cmnpgb32.exe 4548 Ceehho32.exe 4976 Cffdpghg.exe 4144 Calhnpgn.exe 4012 Dhfajjoj.exe 2260 Danecp32.exe 1544 Djgjlelk.exe 2232 Delnin32.exe 4036 Dfnjafap.exe 1004 Daconoae.exe 2396 Dhmgki32.exe 2368 Dkkcge32.exe 1000 Daekdooc.exe 4632 Dddhpjof.exe 4580 Dknpmdfc.exe 4516 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkijij32.dll Cjinkg32.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Chmndlge.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Daconoae.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Calhnpgn.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Cjinkg32.exe 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe File created C:\Windows\SysWOW64\Cjpckf32.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Danecp32.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File created C:\Windows\SysWOW64\Poahbe32.dll Delnin32.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Nedmmlba.dll Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Chmndlge.exe File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Cdcoim32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Beeppfin.dll Danecp32.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Ogfilp32.dll 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File created C:\Windows\SysWOW64\Dchfiejc.dll Ceehho32.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Cenahpha.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Cdcoim32.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Daconoae.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Cacamdcd.dll Cdfkolkf.exe File created C:\Windows\SysWOW64\Jcbdhp32.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dkkcge32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Chmndlge.exe File created C:\Windows\SysWOW64\Echdno32.dll Cfbkeh32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Danecp32.exe Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Danecp32.exe File created C:\Windows\SysWOW64\Daconoae.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Daconoae.exe File created C:\Windows\SysWOW64\Dkkcge32.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Amjknl32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Cenahpha.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Cfbkeh32.exe Cdcoim32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4068 4516 WerFault.exe 107 -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cagobalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Calhnpgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 3832 1100 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe 83 PID 1100 wrote to memory of 3832 1100 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe 83 PID 1100 wrote to memory of 3832 1100 09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe 83 PID 3832 wrote to memory of 1180 3832 Cjinkg32.exe 84 PID 3832 wrote to memory of 1180 3832 Cjinkg32.exe 84 PID 3832 wrote to memory of 1180 3832 Cjinkg32.exe 84 PID 1180 wrote to memory of 2228 1180 Cenahpha.exe 85 PID 1180 wrote to memory of 2228 1180 Cenahpha.exe 85 PID 1180 wrote to memory of 2228 1180 Cenahpha.exe 85 PID 2228 wrote to memory of 1264 2228 Chmndlge.exe 86 PID 2228 wrote to memory of 1264 2228 Chmndlge.exe 86 PID 2228 wrote to memory of 1264 2228 Chmndlge.exe 86 PID 1264 wrote to memory of 2324 1264 Cmiflbel.exe 87 PID 1264 wrote to memory of 2324 1264 Cmiflbel.exe 87 PID 1264 wrote to memory of 2324 1264 Cmiflbel.exe 87 PID 2324 wrote to memory of 4688 2324 Cdcoim32.exe 88 PID 2324 wrote to memory of 4688 2324 Cdcoim32.exe 88 PID 2324 wrote to memory of 4688 2324 Cdcoim32.exe 88 PID 4688 wrote to memory of 4008 4688 Cfbkeh32.exe 89 PID 4688 wrote to memory of 4008 4688 Cfbkeh32.exe 89 PID 4688 wrote to memory of 4008 4688 Cfbkeh32.exe 89 PID 4008 wrote to memory of 3124 4008 Cagobalc.exe 90 PID 4008 wrote to memory of 3124 4008 Cagobalc.exe 90 PID 4008 wrote to memory of 3124 4008 Cagobalc.exe 90 PID 3124 wrote to memory of 1548 3124 Cdfkolkf.exe 91 PID 3124 wrote to memory of 1548 3124 Cdfkolkf.exe 91 PID 3124 wrote to memory of 1548 3124 Cdfkolkf.exe 91 PID 1548 wrote to memory of 3076 1548 Cjpckf32.exe 92 PID 1548 wrote to memory of 3076 1548 Cjpckf32.exe 92 PID 1548 wrote to memory of 3076 1548 Cjpckf32.exe 92 PID 3076 wrote to memory of 4548 3076 Cmnpgb32.exe 93 PID 3076 wrote to memory of 4548 3076 Cmnpgb32.exe 93 PID 3076 wrote to memory of 4548 3076 Cmnpgb32.exe 93 PID 4548 wrote to memory of 4976 4548 Ceehho32.exe 94 PID 4548 wrote to memory of 4976 4548 Ceehho32.exe 94 PID 4548 wrote to memory of 4976 4548 Ceehho32.exe 94 PID 4976 wrote to memory of 4144 4976 Cffdpghg.exe 95 PID 4976 wrote to memory of 4144 4976 Cffdpghg.exe 95 PID 4976 wrote to memory of 4144 4976 Cffdpghg.exe 95 PID 4144 wrote to memory of 4012 4144 Calhnpgn.exe 96 PID 4144 wrote to memory of 4012 4144 Calhnpgn.exe 96 PID 4144 wrote to memory of 4012 4144 Calhnpgn.exe 96 PID 4012 wrote to memory of 2260 4012 Dhfajjoj.exe 97 PID 4012 wrote to memory of 2260 4012 Dhfajjoj.exe 97 PID 4012 wrote to memory of 2260 4012 Dhfajjoj.exe 97 PID 2260 wrote to memory of 1544 2260 Danecp32.exe 98 PID 2260 wrote to memory of 1544 2260 Danecp32.exe 98 PID 2260 wrote to memory of 1544 2260 Danecp32.exe 98 PID 1544 wrote to memory of 2232 1544 Djgjlelk.exe 99 PID 1544 wrote to memory of 2232 1544 Djgjlelk.exe 99 PID 1544 wrote to memory of 2232 1544 Djgjlelk.exe 99 PID 2232 wrote to memory of 4036 2232 Delnin32.exe 100 PID 2232 wrote to memory of 4036 2232 Delnin32.exe 100 PID 2232 wrote to memory of 4036 2232 Delnin32.exe 100 PID 4036 wrote to memory of 1004 4036 Dfnjafap.exe 101 PID 4036 wrote to memory of 1004 4036 Dfnjafap.exe 101 PID 4036 wrote to memory of 1004 4036 Dfnjafap.exe 101 PID 1004 wrote to memory of 2396 1004 Daconoae.exe 102 PID 1004 wrote to memory of 2396 1004 Daconoae.exe 102 PID 1004 wrote to memory of 2396 1004 Daconoae.exe 102 PID 2396 wrote to memory of 2368 2396 Dhmgki32.exe 103 PID 2396 wrote to memory of 2368 2396 Dhmgki32.exe 103 PID 2396 wrote to memory of 2368 2396 Dhmgki32.exe 103 PID 2368 wrote to memory of 1000 2368 Dkkcge32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe"C:\Users\Admin\AppData\Local\Temp\09609a208b4f2b208d9cd3b86c9209e11b6ac836309f857c3e5d672ddd2a8772.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 40827⤵
- Program crash
PID:4068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4516 -ip 45161⤵PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5acc9817011b59594dd98db4b93d203d2
SHA1c489ac21cabf2adf4d0af13c59b6f80b15bfd87a
SHA2564b8cfcde4b01b111ec743f7003000d315fcc2035136436b2d61d22a5c07d5a8a
SHA512f4516426cdf92b23703277eb6de90e5924f9c28365d0d1757fe7b2c176a6807475f50025db0f047546334092374618f776c495a8444d7cc1d4de1a14f7d5a1aa
-
Filesize
96KB
MD5fc16ba432e8e586e484ac6fa73ca2a20
SHA191ac86dae300d095b203c1446b0dccc775dbb9e9
SHA256bafb1805d8b7bbf0182276f8743860c7450fc0b4272f693d6631d5eb44f7e3cd
SHA51212457f4add308413dc1423c2412f4c9ccab855627694f826ba9289b9bdd0228cacf191494bd3a3f90527cfc46725781cfd1c1d3f3522e55b3e85f937407f3685
-
Filesize
96KB
MD580f21db2012400e398233a05862f1adb
SHA192e89a2575b4c8d0fb89fdc4d6c554217e1e03ec
SHA2566c10431c7758428571b3a45719747eb6561a7d3b2d67ffcfc23e192fe05facf0
SHA51296b8445ae78e26071f1310e26008d5480c0ddd5341e326462f6b66afe21f5e70fbd19dfafc578c37a822a20d41a0102a1e0e883cc4f3738de736e6cfb9ed171c
-
Filesize
96KB
MD5463a3da432239701995405bd62666bf2
SHA106b21fa010c6dc20897a61f8e43b3e0cda5ff465
SHA25660c08bc5a6032c1ba958275f5e7a11a5e2b698f5a7ce072ff7bda162c564d2a2
SHA5123e4bd6c3a0ef174c31c44dff57bf3708c23f3bcc41926e4f5b7e77f79c19f284c31500c21f4c8a8a5a99ed1f59d6663f90bfd1c8534ccd0319203822b5c8d613
-
Filesize
96KB
MD5011ea5f3eed3eddae60e55d0980b21fb
SHA16e284c5c7fb373dc085d836629009ddec01cb008
SHA256d444b1afb23a7a3041ba0cfb039931d1247c59e94d678f4c7737f023a5bb6ec9
SHA512908af9933f67affe36c1fc946f838ecc66cb5ebb93987ed461a1cf243e6337397a309ab0997432c833043ef8f17ed66146c32fcf6bc5cfac6b1ef3939ecbfe40
-
Filesize
96KB
MD5985fe0579cfa8843864ccad6bc54b45e
SHA14d3ba36f7bf590c08b6a4025d17e99bc7e9b8647
SHA256fd48227dccd907b7842609c7bc69c4824e46a6a19bf7636cf8dbd92166dd29f4
SHA51265f299a8228552d6b5335962e5388d0674d1c2164cf42d23a5bb6352b03787aba3fe41da5d44b991d9baa72e7359c71ab382474a01939ad3ad18a9f30b6dc38f
-
Filesize
96KB
MD549bf3c3b47524f834f6a97dce382b608
SHA10f4820a2f4f94f3ed04a7fc0e94b0c4bb3b802ea
SHA256f9201961cef73cd66d784ca09d633822f51787d06500421ad8310a702d75324e
SHA5127572c118cba81acc59ea5688b363e399d3035110466134128b733f47c492f608cb4823c46aaceacf67d6d3620d8dfa23e75c85b8a9f8329fbaeb5d968ecaf9b8
-
Filesize
96KB
MD52cfbe3565f4557f4283c5ce2e6e6b10a
SHA173772cefd6fd753684794795643186127841d7fb
SHA25635f6209c37e54f33d0a0cb4716985a259e09e2c793f42501d63ea7719715da3d
SHA512103be7d0a1faad1554da7dc71065f592bf83c515c3a73d6dd9cffb30e9160efe076dcde968160e7a38fcf67aae92f70e9b7f64ed4b79c221782ffe979489866d
-
Filesize
96KB
MD5eb0833a6c8fc9db9e289e27b6eec8f72
SHA1a76a4e8c5967988f96a5f06dc4cdc6baf5707426
SHA25657cfc8b310ad3fa5d7f39205363426ccbf2ec014af7799fe3ca20bbcbadb1b02
SHA512ffbf27e662bf5f78a021c960d8085b68b6ae3f1adddeca08ef5ea5c28228e2fb27324b28595c9e52d278156eedddc7d5a48f3c962e93990f62a67645666e8bba
-
Filesize
96KB
MD5980935bfcdd05233f87259ac3f5857b0
SHA15a8078d9ae5075d7611d71617283fb4a871e0cab
SHA256ff64c2d37fa62706b29128114676fb5e5dcb4943758e522c250b2ae8fc7f62f5
SHA512d7ca62a44af705df8596704691a955db56a451f4b6d61c3ed140ea627328b537c776770ee8e4d5d71a0dada93b7b5c6d975f1fe965b9897428da6630f6398b0b
-
Filesize
96KB
MD513ab8a805ff13da33e433fe6cbf9387d
SHA1c13e0d8af64bd55ff361d145c0de4079e00c86f9
SHA256589a47530a84387753f0c447cbb7b3cb0075314980214f945957a993e73ea542
SHA5121c07d6a7e9c08a413b968a2604e9c80f7088cc0c9b66e9c8eba0e99030f817a8472f20b4e7eda9832722c8d1a56cfcf59538f4912d301bb162c50ca9193b9452
-
Filesize
96KB
MD514c6ac79c0a01e1016af4971c7eb9104
SHA12c324769ac130ac979f5a34f80c91a935f79c62a
SHA256b9ecf75430f226e564629a7d3bb4c96861b62fb8211a6e57752f1b949d031d8e
SHA51278d0177ac397a588154ff11653b22353b983acf3c95621f345af054d309bf93add686b2b898b6fa85523d0ee70c5a0ab39000ef4670f16e2cd6e2f04ef39d6d2
-
Filesize
96KB
MD585d109ed25ed6235c4ac5ffa213df4e6
SHA1b3d59d0d5e09362c835a1b47a241c4d228cf8d05
SHA256a5c41caf433d07355cdcfe56a5c9f2a9c6f6bc7d2b71df0196aae6654bcb5ab1
SHA512b094b9ca516898634079f0be2af461b8a1ec7e1d6b48859a22a37dcc5890072a08485712bbce44da49d0c0610b6d9d1a6ec012bdd81a731a326e6d36d54ffdc4
-
Filesize
96KB
MD5302771000152c87fb693a433a844b1f8
SHA135f4011a9120c4c328cfba711743366841e51c46
SHA2561af288102e225a0a372d8960a8f49093309dd54da82437c45349d29f1f44f0ea
SHA5124d424f5299e23b7bbbb91721e09e5262be139cf1e821ba8e0f1a4d234c7e88bf4921a568a21f1e10641da5fc3cb84b69a115f3a6b1d10a800b89eacacd201b04
-
Filesize
96KB
MD58ad7344d20722749e5c1cb9c78d1788c
SHA18df79602f5d6986da582d320e084673a1225df39
SHA2564f6712e36016d76ede0ce25964b69cdd9c4532173050bd9b77354a0bd0ac2fb7
SHA51227dbedbe18e9126c68b446540b45f4312f556ae6e32defe3d074598ce1469183a71c6afd2a6d9f2bc400b9bde36b22f9e8fc89258c17b98fb5737bd170cb36aa
-
Filesize
96KB
MD5b230a243dba20855ef89eb380327812c
SHA12b6628426e202a89986f2e0bf671a0a9b3a6478b
SHA256df71c8083e2310d1db9227c7379ff13271e5f84e9405863b2ca697715090399b
SHA51254fad79aa8f453ddcb2508b7ffc069bf4ac0658f4fbd7753bd2ab4f7cb6f806cb9bc8bc1b6991ed1e79ffe78e7532e2c00a7c411ecba66af0a4a11af5c7dec47
-
Filesize
96KB
MD511751c85e90e97df7727fa38c0202498
SHA18dda29139d3767dea65d288208e47b160b78d663
SHA25659f23225c8948b667e2f3a52550dfb340a2ac06e74056727249aa4121ab566b2
SHA512b25587662299cfca497e2198d36c81cc2b853a282edfc97f3d6b40a4c22852c3f74da3722483d29bea408e1cb4dd711f3814159b01de06b70148d958aeacdfe9
-
Filesize
96KB
MD59f8981f0136fa3707c9418486eac98ab
SHA1aa6ac894b7b6105c44680b2304cff856484a362d
SHA2561dff1c5a5689306251786ff444d81541db40981bcd09bfed06dd9dba5452b1a0
SHA512068899b35bc0ecc539e77850b0bee8b630e268d9fd0b794cc36d7d97f4c2e1f90c452c9c71da1a33e3aa92e881582ae5a3f58fc90745d02a3104738f4735031d
-
Filesize
96KB
MD5258ea2f21be219ee16ad51bb32f12034
SHA19d64994d1386443e6777aed3ba13f9362fe2895c
SHA256f8394ce057e76fd18d54fcdf16a70667bf3a3705a2fc01f13ca376446cc4144a
SHA5123aa814ebd3dafe427022f3676f195b06aab668f4c932170c27d14f2c8b4668ef2f5455c0f33bdcc3965b8ef6381b564ca1a24f39d1c932f595e1fb5012051026
-
Filesize
96KB
MD5c82afcd50509d7aab8b89d9b3e8e8da2
SHA127a186b291696830b081679cdc1a21325a5735aa
SHA2567a921bca8d1895392e99879506e4a8697b3b89c8f35a2a4c6b0383b7984dffd7
SHA512f15e2d32d014425ecbb2ffadb0422c49a741d9aed85f55a087fa1b749315fc2d35132a0ceb0aa7cddf2cbfac74c5b4cb3b30a6070a9bf27d584cb2f927fb2059
-
Filesize
96KB
MD576455e8ad9ebe3710f2b8281c518b384
SHA1893b80ed18db3e2f4df35a035a510b12d6c8fc02
SHA2563943199d9f0681e4cf13c7a96663bd7657a150c6e2a29b6745b1f66fc21270cb
SHA51209cbd53a291d95e6c812dd2de5faf87e90c756fcf35358ab38fe4dabfeda485eeaed59d012e938240d9d1a94619f062eef5a068ff47946fde9d8a3186670aaf5
-
Filesize
96KB
MD5b49ad5003032a05f6b5b7aa685de1997
SHA110b34fe90f5288749d324c00b571b6d794598d97
SHA256c5d6487003a006db95cea87ff53d8ab7dc3b3779a6349fe0db25090f38c20f08
SHA512e26a53404349006f2ef24af254e98e3e27bd3d3c652275bd70e9ce3dc68fd17526ec5a2c81190ebd6a2c913bb16ea5abddbba07495175bca4d84dcc9624bb0ee
-
Filesize
96KB
MD5f7e7350061471f205e6c41a3fd4a2728
SHA14c1711be609cd8c1c200e4735bce49bf646595ae
SHA2565653b6df7f41ad75f470da43e3c8b9b8a8c67f4fa918e21d9a04de4dee04a99d
SHA512b89d24b4d1704de35fc76e481831fa06e2a48abeb9000512187d077ccf77c63ac26f64a643f8363bfb0d8808c9399a15f0074a4ae9a0d6eadd049e3bd96e5ff5
-
Filesize
96KB
MD5bc5399ac3ce4ac2c5a728b068de4219f
SHA1ed6f31babb397d3bc728300df3b50a83e21797f1
SHA256c0eb5c7c7c1e0359a03dcbd389f2ffef0c90b99a0b89639bad713d27535d9ce1
SHA5125786f921737a1e5fa01c7a00e5c7c5fcab005f43ac9be20250466bfc080ddae35e660dc3e604b535e616e3309caca1f2db4976332b8d732a87705611849e174d
-
Filesize
96KB
MD5876606dc936cbbfbbfc02e436616b0a4
SHA1d2ec459ad3b27a3f12e9b9984f3f175abe85dd67
SHA256cf7cbb297694c61ea2e5c9bd14a1d36a2ab02c7b804987babf21677ac70d14b5
SHA512fc1eefa377cdd0a7226a2a71b83872f7555f3a63df8039ea0090de20f1c3a4b000fd1d7427879f74d79129afecd446bfc4b5900dbe2ba29d4e52fa49b7d01026
-
Filesize
7KB
MD5af1da632033bd44b7626581019df4b25
SHA1249c432b9f06b792a1f914f2bb6b39086ddec5c5
SHA25695226d5e16e5b6fef77c3695b3847bd29dde17c10b1a0b6074be3d6a1bf86e76
SHA51231ba7a47beea8f048c9920e2c9d7b065f2d1451043424fd621a3b7616c1c168be4bfa5cd0dffaa3e7411ce9245acc7b78de7e2f20b979de890dd3b71936bbe63