Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe
Resource
win10v2004-20241007-en
General
-
Target
76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe
-
Size
169KB
-
MD5
b81bdb4bce1fff58caf8ee7dda2a0bcb
-
SHA1
3addd0654c6c4423117f816d1718176469f960c3
-
SHA256
76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d
-
SHA512
6505653238389cfd90b90a5de9b377141343b9586a1bba63c7e8a55eba0bedf4347302bd9681c9a5d77aede2d69cf8d09b1f6f237c985c7eed8f376b6717d03a
-
SSDEEP
3072:Ev+PAcQhv00I9JS9H8lSl+MDPxMeEvPOdgujv6NLPfFFrKP92f65Ha:Ev+PABh80oeeSXDJML3OdgawrFZKPf9
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdmffnn.exe -
Berbew family
-
Executes dropped EXE 27 IoCs
pid Process 2008 Ajfhnjhq.exe 2480 Agjhgngj.exe 4740 Aabmqd32.exe 2512 Ajkaii32.exe 3232 Agoabn32.exe 3356 Bagflcje.exe 1824 Bcebhoii.exe 4712 Bjokdipf.exe 736 Baicac32.exe 4780 Bnmcjg32.exe 3004 Balpgb32.exe 2784 Banllbdn.exe 3960 Bnbmefbg.exe 876 Belebq32.exe 4844 Cenahpha.exe 2124 Cnffqf32.exe 1672 Ceqnmpfo.exe 1728 Ceckcp32.exe 3928 Cnkplejl.exe 5072 Cmnpgb32.exe 3580 Cegdnopg.exe 648 Ddjejl32.exe 384 Djdmffnn.exe 4128 Ddonekbl.exe 2060 Dhmgki32.exe 4400 Dddhpjof.exe 2748 Dmllipeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Ajfhnjhq.exe File created C:\Windows\SysWOW64\Oahicipe.dll Aabmqd32.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bnmcjg32.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Banllbdn.exe File created C:\Windows\SysWOW64\Eifnachf.dll Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Aabmqd32.exe Agjhgngj.exe File created C:\Windows\SysWOW64\Ajkaii32.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Agoabn32.exe Ajkaii32.exe File created C:\Windows\SysWOW64\Abkobg32.dll Agoabn32.exe File created C:\Windows\SysWOW64\Cdlgno32.dll Bcebhoii.exe File created C:\Windows\SysWOW64\Qihfjd32.dll Balpgb32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Djdmffnn.exe File created C:\Windows\SysWOW64\Eeiakn32.dll Bagflcje.exe File created C:\Windows\SysWOW64\Bnbmefbg.exe Banllbdn.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cnkplejl.exe File created C:\Windows\SysWOW64\Bcebhoii.exe Bagflcje.exe File opened for modification C:\Windows\SysWOW64\Bnmcjg32.exe Baicac32.exe File created C:\Windows\SysWOW64\Banllbdn.exe Balpgb32.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bnmcjg32.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Bnmcjg32.exe Baicac32.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cnkplejl.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cmnpgb32.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Bagflcje.exe Agoabn32.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bjokdipf.exe File created C:\Windows\SysWOW64\Dmjapi32.dll Baicac32.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Agjhgngj.exe Ajfhnjhq.exe File opened for modification C:\Windows\SysWOW64\Agjhgngj.exe Ajfhnjhq.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Balpgb32.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bnbmefbg.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Cnkplejl.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dddhpjof.exe File created C:\Windows\SysWOW64\Belebq32.exe Bnbmefbg.exe File opened for modification C:\Windows\SysWOW64\Belebq32.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Cenahpha.exe Belebq32.exe File opened for modification C:\Windows\SysWOW64\Cenahpha.exe Belebq32.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Cegdnopg.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe Bagflcje.exe File created C:\Windows\SysWOW64\Mkijij32.dll Belebq32.exe File created C:\Windows\SysWOW64\Balpgb32.exe Bnmcjg32.exe File created C:\Windows\SysWOW64\Cnffqf32.exe Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Cnffqf32.exe Cenahpha.exe File created C:\Windows\SysWOW64\Ceckcp32.exe Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Ceckcp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2216 2748 WerFault.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabmqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmcjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfhnjhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjhgngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Balpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bjokdipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll" Bnmcjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajkaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cnffqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" Belebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddjejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Ddjejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aabmqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajkaii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2008 2064 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe 83 PID 2064 wrote to memory of 2008 2064 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe 83 PID 2064 wrote to memory of 2008 2064 76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe 83 PID 2008 wrote to memory of 2480 2008 Ajfhnjhq.exe 84 PID 2008 wrote to memory of 2480 2008 Ajfhnjhq.exe 84 PID 2008 wrote to memory of 2480 2008 Ajfhnjhq.exe 84 PID 2480 wrote to memory of 4740 2480 Agjhgngj.exe 85 PID 2480 wrote to memory of 4740 2480 Agjhgngj.exe 85 PID 2480 wrote to memory of 4740 2480 Agjhgngj.exe 85 PID 4740 wrote to memory of 2512 4740 Aabmqd32.exe 86 PID 4740 wrote to memory of 2512 4740 Aabmqd32.exe 86 PID 4740 wrote to memory of 2512 4740 Aabmqd32.exe 86 PID 2512 wrote to memory of 3232 2512 Ajkaii32.exe 87 PID 2512 wrote to memory of 3232 2512 Ajkaii32.exe 87 PID 2512 wrote to memory of 3232 2512 Ajkaii32.exe 87 PID 3232 wrote to memory of 3356 3232 Agoabn32.exe 88 PID 3232 wrote to memory of 3356 3232 Agoabn32.exe 88 PID 3232 wrote to memory of 3356 3232 Agoabn32.exe 88 PID 3356 wrote to memory of 1824 3356 Bagflcje.exe 89 PID 3356 wrote to memory of 1824 3356 Bagflcje.exe 89 PID 3356 wrote to memory of 1824 3356 Bagflcje.exe 89 PID 1824 wrote to memory of 4712 1824 Bcebhoii.exe 90 PID 1824 wrote to memory of 4712 1824 Bcebhoii.exe 90 PID 1824 wrote to memory of 4712 1824 Bcebhoii.exe 90 PID 4712 wrote to memory of 736 4712 Bjokdipf.exe 91 PID 4712 wrote to memory of 736 4712 Bjokdipf.exe 91 PID 4712 wrote to memory of 736 4712 Bjokdipf.exe 91 PID 736 wrote to memory of 4780 736 Baicac32.exe 92 PID 736 wrote to memory of 4780 736 Baicac32.exe 92 PID 736 wrote to memory of 4780 736 Baicac32.exe 92 PID 4780 wrote to memory of 3004 4780 Bnmcjg32.exe 93 PID 4780 wrote to memory of 3004 4780 Bnmcjg32.exe 93 PID 4780 wrote to memory of 3004 4780 Bnmcjg32.exe 93 PID 3004 wrote to memory of 2784 3004 Balpgb32.exe 94 PID 3004 wrote to memory of 2784 3004 Balpgb32.exe 94 PID 3004 wrote to memory of 2784 3004 Balpgb32.exe 94 PID 2784 wrote to memory of 3960 2784 Banllbdn.exe 95 PID 2784 wrote to memory of 3960 2784 Banllbdn.exe 95 PID 2784 wrote to memory of 3960 2784 Banllbdn.exe 95 PID 3960 wrote to memory of 876 3960 Bnbmefbg.exe 96 PID 3960 wrote to memory of 876 3960 Bnbmefbg.exe 96 PID 3960 wrote to memory of 876 3960 Bnbmefbg.exe 96 PID 876 wrote to memory of 4844 876 Belebq32.exe 97 PID 876 wrote to memory of 4844 876 Belebq32.exe 97 PID 876 wrote to memory of 4844 876 Belebq32.exe 97 PID 4844 wrote to memory of 2124 4844 Cenahpha.exe 98 PID 4844 wrote to memory of 2124 4844 Cenahpha.exe 98 PID 4844 wrote to memory of 2124 4844 Cenahpha.exe 98 PID 2124 wrote to memory of 1672 2124 Cnffqf32.exe 99 PID 2124 wrote to memory of 1672 2124 Cnffqf32.exe 99 PID 2124 wrote to memory of 1672 2124 Cnffqf32.exe 99 PID 1672 wrote to memory of 1728 1672 Ceqnmpfo.exe 100 PID 1672 wrote to memory of 1728 1672 Ceqnmpfo.exe 100 PID 1672 wrote to memory of 1728 1672 Ceqnmpfo.exe 100 PID 1728 wrote to memory of 3928 1728 Ceckcp32.exe 101 PID 1728 wrote to memory of 3928 1728 Ceckcp32.exe 101 PID 1728 wrote to memory of 3928 1728 Ceckcp32.exe 101 PID 3928 wrote to memory of 5072 3928 Cnkplejl.exe 102 PID 3928 wrote to memory of 5072 3928 Cnkplejl.exe 102 PID 3928 wrote to memory of 5072 3928 Cnkplejl.exe 102 PID 5072 wrote to memory of 3580 5072 Cmnpgb32.exe 103 PID 5072 wrote to memory of 3580 5072 Cmnpgb32.exe 103 PID 5072 wrote to memory of 3580 5072 Cmnpgb32.exe 103 PID 3580 wrote to memory of 648 3580 Cegdnopg.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe"C:\Users\Admin\AppData\Local\Temp\76d7a02e2ea76f313d3ab5600b0606aaa4f407c9de031b9bca412e2ac70a2b8d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 40829⤵
- Program crash
PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2748 -ip 27481⤵PID:3096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5db73becdccbbf37f596d5ad686421c8c
SHA1ef70baf2892b006db5bbd3ad62c70216ce4429fc
SHA25609b6a240103b9a58f13ac06a183e434bb11a4a1ae849a7efcab28dc129f4f490
SHA51209f83dcd7af310c8c2ec383ad3985a375fb981a0640465f57ecfc8c254c83e7e215d9ff537259b1af4bca2341da1848659567164f33895e540d1a1542a19f0d4
-
Filesize
169KB
MD5554b4b4fa52ffc96ff8ca5aefedb42e7
SHA19779924312f36cfd974db65f1ffa6e7717d29f10
SHA25641fdc4cc546bceb6be4ad9dfa01033afb122f74fd74aa5c0caddbca9be383e55
SHA51216545cd0e67963dd367db002b892b1c9c34ba8ce652268186cff983f2bcb4ea383ec9dafd52a2abcde6128a8f453e6f08cdb076118b858809da8169d49e28909
-
Filesize
169KB
MD568d40a43f7ac6c4045d427bac980e71e
SHA13ad7e6eb41df04048bceebcd1e120c3bc02615f2
SHA256a2e33c429e2948c537b3319fc56b39bd4b8de5f97dd88e9da9e4da8c8443773d
SHA5129bc649b8bb131a02d07313f8d36cd4104fec81d312734cee3a82e5465bb843f5c45996887711d02e56ba38e0f3a09b3f34bff4b719b17a8767f44eb5541ec104
-
Filesize
169KB
MD5c6e11fa384dcc549222eb80037ae803a
SHA1b86ad2e82ea5c0d10639f81dbfceb44fc07ad557
SHA256056a674801710a8e90797b01b205caf9ccb162b7f16756eeea8b06edaead95e8
SHA512cb7dd203dcac44a8c39c25ad2a9d01dddfd826050a708e31f31951cde269b693a2d5dbce411e670bf0575a592bcfb4601e553d099a4f8e3f25f9e859220021ff
-
Filesize
169KB
MD5a341a9c27d183afb627e9206a6140e38
SHA10a6de5120f83e3a0b81d14be5a424f3ae4029e4c
SHA2564e9a13943c28494b40f48c27688f4ad8e89fccb1e026e28aabf633845a9df264
SHA512b6f2b9613e542055dfb3c7c6e0ecc8eb479b0b136cb1d72c94ab6ec91e5fc6f7c260547d6b872d890e7389c0d0c8daab9d8d2ff6b4a8ed512d655fd9359ee0d2
-
Filesize
169KB
MD53156fc63d644f1fc7c983c5cd1094059
SHA1bf62280a5b147c93516243925a06b3bb81977462
SHA256e9c4821afb2dff13e3c5acaef2b8c158e8fb2aa895734675bddaf5aff1bc1f33
SHA512865d9103e1c188f830797d857af33cd36eda8326b92c2cfc4f2f43bf644829682b7bec0d1384b2b8b17b928ed6375038c93405d97871c20954b278c1a2fc3c22
-
Filesize
169KB
MD5df2fcfa83b02f84f624c5747332372a2
SHA11f58c1e42d40db5cb9a1ead0dc0256ee80a4ff56
SHA2564e02d1e013c1728497cfe00ea99595c356c2873599d35f813e5a6b68c4f741c0
SHA512beb0f24ea3b99e0e94ebdb29e57bfe7e27477a29d8ca767508bd06e4063594640966c491ab0b6153e190d93cdacff7095589b34c4f90c9cfcad0a369b8ae22de
-
Filesize
169KB
MD5b870d8ad7d50d1d21868bd0a4142b7c5
SHA134ce616f612b5328f6d4be4b4846f07d6b53b75e
SHA2566c183c9a74a77377633233ab99da45e680dfce28ed64ba77921edb6099c07369
SHA512bae2b30b4902330fc26159f34dee4b2023d41a425e3177f98bf2ba3c64407df17850d484ed13cbc5c79995db95de624fd2e0e6769809953a8b16bc782a9ddf54
-
Filesize
169KB
MD5ad4e221320dea59ae2f214e33868b82e
SHA1b06fb72ebed59922c678d8643b8a3b71c8192be3
SHA256c7c773e248fc599123e95ad14fb8811ad7593b58ab674487b0e710079e11df11
SHA512ddd97a0247ffb550fe0fbbfb0fb6806bd69add293903b7f902935e463d8947d8e7037cb362e501e50e68d0590ae40d542c987eb822fd6bd467c784711c2eccf0
-
Filesize
169KB
MD5e892b0b2ec37a362c077b305eba18290
SHA1a94ae573a692c541e94441a732817ad1728a0d29
SHA2560b8284c36df9c6589093a853bbd2f703220bd393731c8aff760b1a96550287a8
SHA5123e14ab8643f74e1f8f06e36ea6e06c817a12ae94ac4a326164703d603b1ffdbd6e81def362b3ce9f90de1569bd70d0ff2c067c950f9fe095780311eb16d271f3
-
Filesize
169KB
MD540775d92cb251371177d4728c94a85bb
SHA1923f32ff37650382c0b4cc807cd96e170763b9c3
SHA256ad30038bd53fe697241b3dc3bcaaf59a78ff3fd833f899f15658d85192323988
SHA5124771805e7cc49c0b492342d990509f365d964970785c4d9059c116aa8e62222ee68eee9c1e7430edb23ee8e02f5c33d7ea9732edb7980f210d1d2e486b30ba21
-
Filesize
169KB
MD5bfaa8719ff1443fcd920d4d6a0911abb
SHA1be6144f43cb09b7bd22d67cd95c799c5f5c9c08d
SHA2567fbe0b8d88a6356441059faa270e9bae71960def65b1f4d60aab7b51489bcaec
SHA5120759df64e56320f1c528c6050de496c2aae02c8077dfa6d69e9ecd5d98afc4993d7e4b6485688e5260add3dad27a7a393f57b8c6b96becf491a383410cc1257b
-
Filesize
169KB
MD5b6d14bdaf6403f3cc27ff63aaacf07ca
SHA1c2e022185b7b4b3ba56feded9a424da2d8880cc7
SHA25645d27b21770f3126e48216d94a0ca1629be4326dc211711af5923f61949e67f8
SHA512779ae48b33d19c637941d30eeb6fd5cebde437ed812f5622c19355cc2361de555182221d82e443f9763e1834b8f00889c5be38683cb5caaf3bd326499ed4cb90
-
Filesize
169KB
MD5d984977dfb6f82516ecc0f16b4f88cc5
SHA13c5a086d0c324b6bfb5212a300b17ce755465a52
SHA256954301aa993881efe255f31bd649e41ed14f08eda855b2d2bdf93122b881f357
SHA512334798418199e0f7575685ff161084fda555ef557f7a090a975963f8f040e8047ebcbed6b724ba4bc0f715cf67c441ac133db413748189700f88a5954adb5c9e
-
Filesize
169KB
MD55e0f107cd35228bf09d30f3893359077
SHA12da617213889b26ea8ed57ebcf7901a8bab8fe4a
SHA256931be85d50b47c79aba803f2df0cb1ca84db0b9251a3a95c5804c83e32fecfda
SHA5122d47ecd5708022baa30408e2646d0f49de205fde7f3d4297887ad7f27ad75056cb71e857e96c0a8e20d2b3e8ec6cffbd4113f055e53a794fa035a33d9f0372c3
-
Filesize
169KB
MD5964fe78686cc5e8ad59a57a69c5d43ab
SHA1f6eb8097bb8c8cf6a89155020b73507d607e6c29
SHA2561d77a014f81fe1b1ca90582388d042b6e0ed25b1492dbed4312f0f404b3726f5
SHA5125e43377005230a80054a3db58ac6e4273e16e26184d7f28bf90de78b637ef8ac98abbe27144c99c500dbcdda53683ba72de8c1045e700fe0318852f7681fa99b
-
Filesize
169KB
MD5349f8a4906f412924e7d306e470048a9
SHA18a881df51358f6e00eb57fa0b6b8740884dd34e2
SHA2564fca394f7a36e356e287b4f7928a21648d15473b4c501191619ca5b747e611ea
SHA51271b128c84cd90fa7c49965fb17a3bd0d7e1b5fb19846a0bb22f43836283399d7580185fd2ade13c3c18a314f0d2123fea5265ab2639df6ef865d64f8c0af8985
-
Filesize
169KB
MD524cc87eacda11945bcc54caca24e2da6
SHA1ca23bc1a6b5379b798ff3fa2f9935ae76ed80c1d
SHA256fb210e03589384dffc807657cf04eb6dfba422b73a79dab0929bf254739b496c
SHA512bc63b3a13285c0f7aaf50215f0ed3ec6f6127f89cb1f746202ba247444d171bf3201bf8da08a38c10ed9caccbff1c26d3db64fc5e30736ead7cd99390ce65ff5
-
Filesize
169KB
MD5b93e07507e8ef6dd58160d70e982d82b
SHA1774908998ecd3e92a9b55769d60c00eca3d05ce8
SHA2567beac7638926a556eb05753118740e3973f26702c381046d8524b2ea2e8e366d
SHA51268b9f2584265cd7b8e9a1182d1e580328f06ad795a713ba0e53e0a56e0f119bba004bd11d1319ae45f9037982dd1dd5e7899062a676f5cf4f55eb9fe4c292a4b
-
Filesize
169KB
MD5899b50ab5de086e6eecdecda1f5c3316
SHA187d25b8741cbf3dffd0db0c9ec567ed0efcf588f
SHA256af9eec4f3fd7a68420aecf27ef817ffb634080c29db3ed8f60186fc0593ac7bf
SHA512378ffa0b7c6b2ea7df5a45f96d5f39406627745d57481cc46c517a2f657c2b85b58d97117842b5e61f63fe72b0f6129e6c56aba62aef3961887afea570375d14
-
Filesize
169KB
MD5dabb6835938f52e354e3aefc10921d48
SHA1bc22dcb67ba4f0749d05370347f240c865fed31e
SHA25680b23be6be9b23bc647fc3c0620e4874244fd6ac76a10a4ed221dd7d1d1c60b0
SHA5124421af4054ecad83c817ccede06fb22f50cd2ad70363090e99a43a4cbf6b6e4c94ba8fa63c20114e917859d708286f170a7b05b825f662f59f6d3b443ab9476b
-
Filesize
169KB
MD5a67d6a7674c0cb110af59a306ac95ac4
SHA1901e66e7d2a687d600da8993a4de5ced90c2b030
SHA25684c97fb8ad2a9fbf463f17157c1ac5d41b03eab6d9b3725e7d33bec299c47606
SHA51237f80b524ff3fd8bcf383605cf16957b7a1c832f76c950502ba7eada3d95c9c99ce0a18865312cc915e186112b920a13e6aae8fa03f69489d0d4704a0e8ee09c
-
Filesize
169KB
MD52e590794d7ab4070f71a2e0a966de867
SHA167f6ab40397cc7108212f88d5eb588a2612361fd
SHA256f60607d48f8f4446a6991ea412c1b6b5eb52198454e639ccd3595d4ec531d08d
SHA512b9ff742732dac6493d7058806bf56bfc227ce646275401e941ce49013c050fe8733a2b2a8dd98673625b497dba474162f3bd5d197ceb476f9c24c30e0bc069e0
-
Filesize
169KB
MD5548e482fbf5a60dfa18db2bc664bf202
SHA13acb8e7a1ee7fb5ab5c22f290efd66d3390a361c
SHA2562b587f20961d5db71507a275877ce41b34d592f6e5e94377b5eb1ce4bb262b7a
SHA51218c50edf9ef1c9df44ec5b737dceab5d8d9cd405d0852d407128005c528f7fa2c5533bf5024c8d7676dbbb2106298c55719e3df29397e5ab3f9456bba7d3ceb5
-
Filesize
169KB
MD5e803a323288b19d4a613fd6ee371cd38
SHA181e3008bacea7b20801676fb6439b693b3161c3d
SHA256cbc977f6b6fa6aeb29fc9b2f2749168f716b562749f6b7e9423fd497ce66eb9c
SHA512de8e8515c7093d71985b59bd8b357978b8a9df33f151f0d2f72477ef256c1f8cac2cd47945da15bed66b9a3d9529ef28531660c67085543badac990098deb383
-
Filesize
169KB
MD5f528fee265d25d3e97ac9f3abc75fb1b
SHA1a0a67d6d5010fc9de91adac0612c1df59b3f8bd6
SHA256547b987bdbe1ed6d3d658f48d3ca1df911554957123a34ebcaad1a8782033f5d
SHA51211acc3d8fdbf8bd955b1fed6a2e6b478c2fc3998b3e4cf9c97a6e326ba3dfc95fb8928ebf2598ce3bc7b0e542aefb1856c53ebee7681f66d913d9251e59f1bad
-
Filesize
169KB
MD5d2c03c6613002622a9e15a1b35881c7a
SHA101b266e8b7b461e7b9ba545ecc76df0ea0f5a073
SHA256c831640420c5a0fdfea4f40124bb4de1b17c2b0027e7d78ef8e23f842399d2c2
SHA51265ef5fba6392061fe7282e6643ab6b6378540e1f8b2b278f797a5ce3bb09fc9af0a8024b5be8ea0a635f5990a73144b410ec173b1feb979a47252db21b70d53a
-
Filesize
7KB
MD5d64535812ed1bbd9c0c91aaf6c01bb95
SHA1dbf7ef55a003a8bd943aa8c13e772c8ce26d4820
SHA2562ea79a4114c91b0e8997757127093ba49575e00a44d9a6c87fb723f90057c848
SHA51289d60c32adb51e97aaf7e06827cf4df284c8dfed45c0e694f45c9cbcdba0146cc45669b9aedbc3f8399faddd7cc0a39771cb047a2ba9fb3c6bbe8e9553dc63e9