Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe
Resource
win10v2004-20241007-en
General
-
Target
a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe
-
Size
94KB
-
MD5
a5499dc1d4789a198e5e4845aeb139db
-
SHA1
624aafbcf55e68998057ff5a08117f7ff19460c5
-
SHA256
a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d
-
SHA512
ae611913b08ae1f43c5962be13d5f4c49f0c894e7ac1b29afed5f32440f0beda06ae0ca6f066c1970a3dc162d0228cf3f707ef34ca84c181420adbfc4280a64a
-
SSDEEP
1536:kxkKvjMJdQsLqpF809kJvsjxmS2bkXQXjcbZHaTKoO9RSkx3WhkKXBnFsRQD6RfP:kxkKv0KsLqptvmSckACHa7admk2Bnmeu
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe -
Berbew family
-
Executes dropped EXE 11 IoCs
pid Process 732 Djgjlelk.exe 2324 Dmefhako.exe 4460 Dhkjej32.exe 2096 Dfnjafap.exe 4752 Dmgbnq32.exe 244 Ddakjkqi.exe 1504 Dfpgffpm.exe 512 Dmjocp32.exe 4420 Dddhpjof.exe 1068 Dknpmdfc.exe 4964 Dmllipeg.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Amjknl32.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dddhpjof.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Djgjlelk.exe a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File created C:\Windows\SysWOW64\Poahbe32.dll Dhkjej32.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dfnjafap.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Dmjocp32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe File created C:\Windows\SysWOW64\Beeppfin.dll a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Dmgbnq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3540 4964 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Dhkjej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1436 wrote to memory of 732 1436 a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe 83 PID 1436 wrote to memory of 732 1436 a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe 83 PID 1436 wrote to memory of 732 1436 a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe 83 PID 732 wrote to memory of 2324 732 Djgjlelk.exe 84 PID 732 wrote to memory of 2324 732 Djgjlelk.exe 84 PID 732 wrote to memory of 2324 732 Djgjlelk.exe 84 PID 2324 wrote to memory of 4460 2324 Dmefhako.exe 85 PID 2324 wrote to memory of 4460 2324 Dmefhako.exe 85 PID 2324 wrote to memory of 4460 2324 Dmefhako.exe 85 PID 4460 wrote to memory of 2096 4460 Dhkjej32.exe 86 PID 4460 wrote to memory of 2096 4460 Dhkjej32.exe 86 PID 4460 wrote to memory of 2096 4460 Dhkjej32.exe 86 PID 2096 wrote to memory of 4752 2096 Dfnjafap.exe 87 PID 2096 wrote to memory of 4752 2096 Dfnjafap.exe 87 PID 2096 wrote to memory of 4752 2096 Dfnjafap.exe 87 PID 4752 wrote to memory of 244 4752 Dmgbnq32.exe 88 PID 4752 wrote to memory of 244 4752 Dmgbnq32.exe 88 PID 4752 wrote to memory of 244 4752 Dmgbnq32.exe 88 PID 244 wrote to memory of 1504 244 Ddakjkqi.exe 89 PID 244 wrote to memory of 1504 244 Ddakjkqi.exe 89 PID 244 wrote to memory of 1504 244 Ddakjkqi.exe 89 PID 1504 wrote to memory of 512 1504 Dfpgffpm.exe 90 PID 1504 wrote to memory of 512 1504 Dfpgffpm.exe 90 PID 1504 wrote to memory of 512 1504 Dfpgffpm.exe 90 PID 512 wrote to memory of 4420 512 Dmjocp32.exe 91 PID 512 wrote to memory of 4420 512 Dmjocp32.exe 91 PID 512 wrote to memory of 4420 512 Dmjocp32.exe 91 PID 4420 wrote to memory of 1068 4420 Dddhpjof.exe 92 PID 4420 wrote to memory of 1068 4420 Dddhpjof.exe 92 PID 4420 wrote to memory of 1068 4420 Dddhpjof.exe 92 PID 1068 wrote to memory of 4964 1068 Dknpmdfc.exe 93 PID 1068 wrote to memory of 4964 1068 Dknpmdfc.exe 93 PID 1068 wrote to memory of 4964 1068 Dknpmdfc.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe"C:\Users\Admin\AppData\Local\Temp\a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 41613⤵
- Program crash
PID:3540
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 49641⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD566bb32b515ffdfc131df33c33b3a6b5c
SHA1fcc6f2d2fae42ccdc1b2d4df6534dbf1afd36f32
SHA256d2edafb5ed9dce85e5192889e5b48f816d65149aa42856b88e06396bb47b9ab1
SHA51220c87b1085c81343b5705057a9438937341410d2b6c78a898eeb319fd267232aa300c1dc42f6b6bca2b66bf0868a5009b28acbbc7a1560db4641703288f520e9
-
Filesize
94KB
MD5b05b8b0f3647b61cc7b5a689f12294e7
SHA1638911fd8e0cdb0d6d53e31109c12151fbc21766
SHA2566c15c34a5ca10a8f391f75ab93693ad64f0e3e8ccef4d1563e6f9d401ec2fa59
SHA51292413573988ff75c28338049418e5164498c140066bffaaea06e6abccbefde9fbc700c6ce8807d9205867478080564ee2320e2f02f46d4ae5b0a32fa078b5c31
-
Filesize
94KB
MD5a74508a2e313361b014d5457bf678640
SHA192428c24834ab06c99108a2511bd18c93be6cc8c
SHA2564676a338e2c144c412d55f000ed8dc8261b224dc950ada3ad05de0f5a0169856
SHA51281891af9ba495bde305f4ab1961f841df6d03f530f08f9d61c266a5a975791608dd3fb0dd8c0ac4b3715f0c85505d2c6d5333bf06b085c8ec13663404194ac5d
-
Filesize
94KB
MD545cb84fdfc764ab89ab087d17ea357a9
SHA15a2996383ea9f6dc9fbd38a343c73ea8e7ccad4d
SHA25642b620a3f92de97f20670b9e78502b1ba8896fd2a77d0b0f795c935f40cc4b48
SHA512d8705278c96850954932de9b246c2796315a8bb7e402ebf402a5dcf28ce98afa425bcabb1b88f1db4376fe0fe4d47699adbbcfc28db505f53e979e2ce69f3226
-
Filesize
94KB
MD50b1a8b8e306f2cf6f93542f892743223
SHA1d62463d881ead6df7b604e8db1723c89520334ad
SHA2562adc527382fcbb4b31c355a8a272a024752718340e8d4ffed0916440c168ffe2
SHA5125553a09aba55e55eb83e57933ac3db40e5ac79f89526afb898b7ac282a2feb8d8dd74b1bf24f585404d08304e7b560becb40d47d0e7bb5ebb2f36bd74e1772c9
-
Filesize
94KB
MD564aa3ec4420f847c4c14e0416f4e1a6e
SHA15664c57232ed4b071c83171a10ea1ab5fa568547
SHA256a3ca47a9b89da34ccefaaa6ee85cbcedfedb5e21ec468ff071780f5738c90b35
SHA512fb15b38da57aa52fbe094344c7295625d6fcdcacd645b8da8724e00669e5999af96303991b6d65f56d7c0e53704806669d8b8576d3b0b04aabdddcb41c982653
-
Filesize
94KB
MD59e629385817baf4041586129e0e3f71d
SHA1c1a5826057d359a8da0d6d13a2257c36ad7b5195
SHA256c00002629d26a606c257adec00db72abf89d16da8d1bebf61be43c2af5bf0297
SHA5120115c5811de43935612a9d84bff235d747147f2fd1199f19da7e66161109a7d52cb28ea32b7772a3ad20857803074fb148c08b9e7c9197ed6945da7d6bbf21c1
-
Filesize
94KB
MD50c3e8599c23a22e83ffb01c72b6fc6a9
SHA1bb4292548a8b77fa31ddf6738ba0069787027500
SHA256abfeb1de6ba348950dfdc18a09596e06a30ca517612d4efd19d52ccfba8d9fe9
SHA512774b6fa0b75eea85397e59aae14769ad2d82e2e84e608ecab2decd682d8ed8cabd1cfc842fcb3a87a5efed39f19fe7463244f6a120bd8b741dc2792e15378999
-
Filesize
94KB
MD5210c3d40d178cf1ffc04a26cf9471e42
SHA1438fd0ec9b1b3395223c8fdd063462486246130f
SHA256eda4079e0e53bd1ded0fa514f63ba5c80765c9ffe8485cb4bc77242d2ad4cdd6
SHA5126f6f994ac9bfed74aaec8c3a5041d7b2a4afeef0b97c0bf10c294e0ad8d7b7dada175cd300de0517c9cc1646fccedc04f7700007aa3507e85d891a884cfe50ce
-
Filesize
94KB
MD5c9edf6999bf429e942e31d066009949c
SHA1235235836c9297cd47f45aa3f2a17411b3fad88b
SHA256f2f48cb5933c137d2d332c8ea0bf48605331a5e7b0f3e43df89fc8e6a763a64d
SHA5124664908d69e10f97ce284300528f903c3b286582317cb4f7c3932852f9529d509e47c2661e9f66216748ade2db6108ac5ae4bfa9f55f5ae2e2547c5961b8d91c
-
Filesize
94KB
MD5117bba748103438ccaa28ab0e1d292f1
SHA1d2e2ede024cc3bd93e9185a25c194f7baa1d8ada
SHA25699c84b0b29ab068b29e1806b6d1c7b5bce57bba3cb0c1fa72cae705d56d1640e
SHA512846975d5e0bf5dc7127bceeda63e72f3fa634cc5acec70197b4e43b745fb4d366e88c6d5918e438851927f37a5a690313107f46ec3847013087083dfaf75b5f4
-
Filesize
7KB
MD528df198c649799b6e5afcc8168bac965
SHA1aa422926d1c83c269b39892c7cc46309f708d004
SHA256ebafd16cbc01a8502c3fa7fbaaee8e49c2d1845a3ba4ae2b73dfa08712429ed7
SHA512c2cd0b6f4e0a8c861811dbd478bce1a4e7fcec4e158a5505e1022c2f3dd2eeab367a7c208d6b8541ae7ed4dc1b545660e2dc3807570d6df0482d03400192f202