berbew | 82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Size

117KB
MD5

bce4008f44a066830c060bf880628570
SHA1

c8004b3a95453850bc846506597986955f458627
SHA256

82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7
SHA512

c82a795587e382e7e38a69be8c2d18f71c7fed97dff1f515e7496db1e070e11df366a121ee85c62e0928d762c81e056a639ebcd4df038ccf87ad7d4fe4a77f62
SSDEEP

3072:q0KJsVk78HLIgVXqvDeLoZKMNYP55FFfUrQlM:xKJsV5sgVQ9zNYP55TfMQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 29 IoCs

pid	Process
2940	Bhhdil32.exe
3420	Bjfaeh32.exe
4824	Belebq32.exe
4580	Chjaol32.exe
2044	Cndikf32.exe
2404	Cabfga32.exe
4640	Chmndlge.exe
1000	Cmiflbel.exe
4368	Ceqnmpfo.exe
3960	Cfbkeh32.exe
1996	Cnicfe32.exe
2064	Cagobalc.exe
2996	Ceckcp32.exe
3568	Cdfkolkf.exe
3948	Cfdhkhjj.exe
736	Cnkplejl.exe
3248	Cdhhdlid.exe
2808	Cjbpaf32.exe
1232	Calhnpgn.exe
936	Dhfajjoj.exe
2120	Ddmaok32.exe
2200	Daqbip32.exe
3356	Dfnjafap.exe
1496	Dmgbnq32.exe
1620	Dfpgffpm.exe
4692	Daekdooc.exe
4088	Deagdn32.exe
2772	Dknpmdfc.exe
4868	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2272	4868	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 2940	3316	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe	85
PID 3316 wrote to memory of 2940	3316	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe	85
PID 3316 wrote to memory of 2940	3316	82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe	85
PID 2940 wrote to memory of 3420	2940	Bhhdil32.exe	86
PID 2940 wrote to memory of 3420	2940	Bhhdil32.exe	86
PID 2940 wrote to memory of 3420	2940	Bhhdil32.exe	86
PID 3420 wrote to memory of 4824	3420	Bjfaeh32.exe	87
PID 3420 wrote to memory of 4824	3420	Bjfaeh32.exe	87
PID 3420 wrote to memory of 4824	3420	Bjfaeh32.exe	87
PID 4824 wrote to memory of 4580	4824	Belebq32.exe	89
PID 4824 wrote to memory of 4580	4824	Belebq32.exe	89
PID 4824 wrote to memory of 4580	4824	Belebq32.exe	89
PID 4580 wrote to memory of 2044	4580	Chjaol32.exe	90
PID 4580 wrote to memory of 2044	4580	Chjaol32.exe	90
PID 4580 wrote to memory of 2044	4580	Chjaol32.exe	90
PID 2044 wrote to memory of 2404	2044	Cndikf32.exe	91
PID 2044 wrote to memory of 2404	2044	Cndikf32.exe	91
PID 2044 wrote to memory of 2404	2044	Cndikf32.exe	91
PID 2404 wrote to memory of 4640	2404	Cabfga32.exe	92
PID 2404 wrote to memory of 4640	2404	Cabfga32.exe	92
PID 2404 wrote to memory of 4640	2404	Cabfga32.exe	92
PID 4640 wrote to memory of 1000	4640	Chmndlge.exe	93
PID 4640 wrote to memory of 1000	4640	Chmndlge.exe	93
PID 4640 wrote to memory of 1000	4640	Chmndlge.exe	93
PID 1000 wrote to memory of 4368	1000	Cmiflbel.exe	94
PID 1000 wrote to memory of 4368	1000	Cmiflbel.exe	94
PID 1000 wrote to memory of 4368	1000	Cmiflbel.exe	94
PID 4368 wrote to memory of 3960	4368	Ceqnmpfo.exe	95
PID 4368 wrote to memory of 3960	4368	Ceqnmpfo.exe	95
PID 4368 wrote to memory of 3960	4368	Ceqnmpfo.exe	95
PID 3960 wrote to memory of 1996	3960	Cfbkeh32.exe	96
PID 3960 wrote to memory of 1996	3960	Cfbkeh32.exe	96
PID 3960 wrote to memory of 1996	3960	Cfbkeh32.exe	96
PID 1996 wrote to memory of 2064	1996	Cnicfe32.exe	97
PID 1996 wrote to memory of 2064	1996	Cnicfe32.exe	97
PID 1996 wrote to memory of 2064	1996	Cnicfe32.exe	97
PID 2064 wrote to memory of 2996	2064	Cagobalc.exe	98
PID 2064 wrote to memory of 2996	2064	Cagobalc.exe	98
PID 2064 wrote to memory of 2996	2064	Cagobalc.exe	98
PID 2996 wrote to memory of 3568	2996	Ceckcp32.exe	99
PID 2996 wrote to memory of 3568	2996	Ceckcp32.exe	99
PID 2996 wrote to memory of 3568	2996	Ceckcp32.exe	99
PID 3568 wrote to memory of 3948	3568	Cdfkolkf.exe	100
PID 3568 wrote to memory of 3948	3568	Cdfkolkf.exe	100
PID 3568 wrote to memory of 3948	3568	Cdfkolkf.exe	100
PID 3948 wrote to memory of 736	3948	Cfdhkhjj.exe	101
PID 3948 wrote to memory of 736	3948	Cfdhkhjj.exe	101
PID 3948 wrote to memory of 736	3948	Cfdhkhjj.exe	101
PID 736 wrote to memory of 3248	736	Cnkplejl.exe	102
PID 736 wrote to memory of 3248	736	Cnkplejl.exe	102
PID 736 wrote to memory of 3248	736	Cnkplejl.exe	102
PID 3248 wrote to memory of 2808	3248	Cdhhdlid.exe	103
PID 3248 wrote to memory of 2808	3248	Cdhhdlid.exe	103
PID 3248 wrote to memory of 2808	3248	Cdhhdlid.exe	103
PID 2808 wrote to memory of 1232	2808	Cjbpaf32.exe	104
PID 2808 wrote to memory of 1232	2808	Cjbpaf32.exe	104
PID 2808 wrote to memory of 1232	2808	Cjbpaf32.exe	104
PID 1232 wrote to memory of 936	1232	Calhnpgn.exe	105
PID 1232 wrote to memory of 936	1232	Calhnpgn.exe	105
PID 1232 wrote to memory of 936	1232	Calhnpgn.exe	105
PID 936 wrote to memory of 2120	936	Dhfajjoj.exe	106
PID 936 wrote to memory of 2120	936	Dhfajjoj.exe	106
PID 936 wrote to memory of 2120	936	Dhfajjoj.exe	106
PID 2120 wrote to memory of 2200	2120	Ddmaok32.exe	107

C:\Users\Admin\AppData\Local\Temp\82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe
"C:\Users\Admin\AppData\Local\Temp\82e9cb33e2b24d4d512a87d4fb38be2f212b07a0b140b9ee1b14195c91460dd7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\SysWOW64\Bhhdil32.exe
  C:\Windows\system32\Bhhdil32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\Bjfaeh32.exe
    C:\Windows\system32\Bjfaeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\Belebq32.exe
      C:\Windows\system32\Belebq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 248
        31⤵
        Program crash
        
        PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4868 -ip 4868
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
117KB

MD5
f3db980d73d0c3e3caf6d103c943ad35

SHA1
6c556036466d899a0cfc0e01337bc874575b80cf

SHA256
11f9039eceec55651d819f6021d8c590be007ee7e77812d4d810e04dac1b1e31

SHA512
3bfbcd5f195c5dffaf625916ec21bc0813516acb034955c2032f43c5fbaff059152257798d5a9d165a31e20b68f10be90f289487e159e0335d516155173af3eb

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
117KB

MD5
b928109a2c2ba6ad2bbd4105844d80eb

SHA1
c9bd22e8f0f826cd6a097b9ded4095e9e89cbd2e

SHA256
11193a7d3033202cc6749bf03ff05347274564f33c6ab74335159d5ef49ee950

SHA512
915a27ade7e9feb5e97741aaba354b3143ef429dc00490a7827959c2695b0afb4aed4272e4d8a6a102e7a0af074bbfc40c63275f7b83415fa8b26fdaad547561

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
117KB

MD5
d5a0538bf6216d6259d21f766411d454

SHA1
4f021913f3d2d76ba51f2640dfb7b7fc1b9e0978

SHA256
61b48a96f7fc752dda7e480804ec2df2c93a8e5d40a2179baeb9d5c4d2ab2177

SHA512
cd0f295388be9145045d070606d1197441a8fceb24832242af4017b29a125934214fbf04ac01ff313ff31c2cfa599041075ed6268a51ee832c0e8aaa93dd1920

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
117KB

MD5
eedf50e2912655fcc60bb51e8f1ef3a0

SHA1
d426880f5c8585d94f0ef03c0336e472a309a569

SHA256
380086712081ae7507ce0e7ec93cbe6fbacba88d8c8eb1f4117036d40db6bac4

SHA512
a7fd178a693c27e4834e949984fe87bb10a1a7e11152f262b342ac3b6ec33e34c83229619ea41c3da75c235d8512af6290d0ed0fd943af72173f1449af68bcc7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
117KB

MD5
4a0a13b86ef716798261b5586a3dd664

SHA1
4120a52e91da9e798ee89b4d86975dcea1672499

SHA256
7882f2a479a333d91efd0b67cf47ddfac8276252c61f8762bca771854c5e9d73

SHA512
59fc8eac6a59b940c37284fc116cc041d8f4ca6604c1e48b5ae9401e79b54e7d9de73c4f89646b6d67035a5cdb9b8ba7da37cce2a75cdbc872cf60cbed2c68a4

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
117KB

MD5
2aa631e40ae1f9bbef7c1ac14937bd69

SHA1
5d17eb2bb21ddd27d5a0374afa598097bd0f11bf

SHA256
ae73565100f38020691f653c3369b2806c301b8352ad878ea230dc5f665b9865

SHA512
17841d5d31c6937494a587e6c8d9782d699e4d94bf7551e401d3f2114abc0f4f4207e5a48666387f013ce18716db5b8de03a037d2d493916b3d64711d7a22c6b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
117KB

MD5
85c7bee238e7c9594a6470a36a80d7b9

SHA1
4c3a19a964dd6b6ad71b8018b7003b81154a2461

SHA256
b01a86dbe754ac82c45faf40b8b2478c04634b4fdcf6751ae9f9728e9b71b773

SHA512
f7b2e255ef07186f1b25c4969880baa56789c3376b9ba522a6ca79fc85a6d234007bd52e34ba2f826a31431061cea4320b2693b0029d74a3f61075e28a2dfc56

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
117KB

MD5
f6561b801f4c863bc77662c6445a8077

SHA1
f7b13b8fd840a56866568ca1d5f50b785e70350a

SHA256
4331fa4f56b397f379cd2f79b391c3c11beb5ca86b03383c3e7d3d706bc39880

SHA512
72d6744bc60f497d673adb0dcc6a960d79e30a4f67eeed661c6a57d47cbe0732adbd9933d171a4408a3fe7c2c19558a7c0c529e2a73cd95381a45c8d1e06d27f

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
117KB

MD5
ce21cdee3627bbe7474b7587137f9f14

SHA1
b6d0f4de10d83005183831927c99433ee59d8f58

SHA256
1b85de5caf972179e93f0e61e9fc50406ada1aec714b8158b4392a8d0cc0d368

SHA512
4801c4c5decf5579e48e22a40dc86a862f7c55be86b527a1ebc79b879ace718654eee7771b07da4af788c929816cf9c6a9ff874d2043dc19b29dee637f8a9955

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
117KB

MD5
ab0a6c68fc6af55fcf43a20385ad8174

SHA1
de954b0a88652195eca250f542bddfa1f0e1e8cb

SHA256
4ff9ec8394a44cd8d051ec786d4765c76c5d687318d5343c2c565843f0f59e01

SHA512
93ebe417111c810a8741b65d4e5688344808c25de40fc79641ce8ddde837fabec193a410534734f15f7ef69ff91682538a09c138ec64f891b3ab697c2079789d

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
117KB

MD5
60766ea20aee7ad269dac6edd28c230d

SHA1
252c1b18b350c92fcb759f28c870fc6fb9dac1b5

SHA256
92056108dea6fd12aeb913243aab101524c3f5caff039b9760c3c34b4a608afc

SHA512
5b7f4ca84e30c7afd7f2f9fe8f32a8500be53d1150b58a9c171e525b29f297a5f2bde66898c179a31950182be35a3f0b18646fb296694cdc5d64dc03e02423bc

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
117KB

MD5
643dca92c4fceca361a5ef7ca7dcce02

SHA1
b8f45f02763ec8952136bef064573917d1fcacf0

SHA256
47ffbf6613f4f6905eeb531d952d78e223388d3c7955f1e7064b5297030856cb

SHA512
63c1f562d742a55271017210e0586fafdf9e3503812fbe7a53e7aff2bd17ab333c9aabef75836d624d114a21b70bda927e05f8971fe64c0f1d8f269d4dc7eca9

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
117KB

MD5
1bfcde6be7bd0ec09994a1f0a2b57711

SHA1
4bfa2b98942f950db75a7ca4da27dd9de02d75e6

SHA256
19006b0060e8157494ef7d1707f9c5b938b4f36fe40a316376fdb7b0a0668c23

SHA512
a3c944836cb16dbe9b04e62cffcd826e805529bf3331a71fb08874cbd8a691842fe56c5fe7d2661a577ce89ecd20c7cdeb938f2ed04b7c93f50ec4cf320f7d73

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
117KB

MD5
145087c02b1d6d3acb72d8edeb846440

SHA1
be5222aae782975e7c24ff2ce7741372c5e93038

SHA256
fbd5de96b5030c14428c21d0d8a29248ba8e9e234e698de9214e88a96fc308a6

SHA512
332bd0f44fd9e3e7b1a2795421eeabfc8f515f9bd4895a9aa8a7724e55939ddb19c42b34f729ff912c375000fe464ce947970c21f6ecd25586a17155ecff3a24

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
117KB

MD5
85066f2a5e8f293867eb296a9cf9d9b9

SHA1
35a50971a4581699f2e2043b670211641dae3db3

SHA256
46cce4c84ab5babbb72566999a4b7d36f1a00581c076460ece221abac6fff3e8

SHA512
6d53617115cbb7eab9ae050a010a49d871ee084709cef598bea598951ab953579bfe9f68d8c97ef49af75fc76feda5325b44c32d7045ed201ef4c923da5c2f4a

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
117KB

MD5
be6b897110de63b8a1d4adf0502d75d6

SHA1
be96c34e2a81c82d6327622cba694efb9313689a

SHA256
3f7a1af1a76a2e54b6cd057afa19b2d117813412920fd53df9929423267f3b4f

SHA512
1c0d9be15d891f31f44372e5a347c27ec91c0d36a62608785de79e965a54ffd104c1beb701801f2211ed26a023d44f66ef9a32e8f2373f6a6b78391c41feae7a

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
117KB

MD5
972a8dacc56a36ed7d261235bc21bc78

SHA1
dd71605def4735fabf0400ca63c44efecb759a39

SHA256
84b35d0a2a45eb066b7a7844abae91909cd9c3cd18fa3e44a270ecf1564ad792

SHA512
a9c615e1998c81f948c2cd3409853fbda4df6e30cfd3dd151d05e47e73a77dd1c149cb18f40a86376de762863eee0227a2f754267b3376b411fb5aa6d10a1420

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
117KB

MD5
6ba4ed845c5ec69bd9a78742fc18bc7f

SHA1
2f12cfe0bffcab286018c086f1319e359870086c

SHA256
f556dd7a3b52a93d6d4762a23eddc1169bb8b8c797d01e49aef0cf0edd421dce

SHA512
6a49430fff96c9da9b1ba64fb797e4acb0419ca7648f1c7303b5eb04effd0ffd5334c328532ddd85c11e4ccc42003fa18f4774d49272b665453079a43ddfad75

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
117KB

MD5
319823181ee0cd162491550cd737b8d6

SHA1
52353fc2bee197572eac3e8f1568579e5a50a4cb

SHA256
f33c84b9bda66b6deb05e82888dcb17c17e65723d0a53b81d137a69059ec649f

SHA512
d0e4b42125dbbb6c19464473aa65d5d6688f1c9800ffd182c8f61d9b4a6aca408304070b1450928f68cdac6afaa2d60da8f35a037897acf47fd856247a0092c5

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
117KB

MD5
1b36e63db338a708ccf46a0dbb8e0433

SHA1
0c59465c957d28727019a3a263f7a6fcc6cc2bb3

SHA256
11c2003cf26595cd5b7cc4078215cadabe104e917b7a31afa848626216d95b5e

SHA512
9a0ae303b74159d2c2f1bbc0f789116b0c3d4330a02060d7f952d59f4d84bd21e24b2232c41b8f460ae57eacb797f79220a4c3342e0fc271399956816e04b716

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
117KB

MD5
f004ce2b9b87f5a4c0c8e0c9a42c05d4

SHA1
c277aa46ced73735c9c40413a0095c6be818e3d3

SHA256
c1b3a20d781b8a96a6db075dc23af41d469f640fae50c96e22241e507b899588

SHA512
caa85e00ca4ccd223cbc53fd2f552ea2d6a17345156ec162674ba254dadf5fddba8b33a24e94b52d6c1203a0e5df3e05cb03d0e38a4775ec27c0c3e385b08438

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
117KB

MD5
8f7dd1b43f20cc2c781d98aed9213249

SHA1
707f9ba2e56a827ddd737cb410e4c82317c652a9

SHA256
61f387c421b524aa16490ebab707bbb284165e031404d68a455047a9006321e9

SHA512
15383dad80f7c2058f0c5e428b0498ec722a1a94dbf10fad47d7db1bda11978f9d74393f07b7cd43d47d864a25a233e96bbb3f6d86ba5c03b7f57007e5347669

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
117KB

MD5
5c92da3add2ff84b12ddb7d5e4771d01

SHA1
aa3807a984eeda1c1534f60b1b853f6d44fe9261

SHA256
16a7c7cb7f410dddc48b13b2a66c7b7f9de5b1f06e21bbe557521e9db02457ee

SHA512
a3e0d3de2eb4fb46ea836c6d5a61366a948c0c99c13777d6a783ff54034ad58a0775a645798c566282dfbe09adaf23046362f78960eead40e15817122cd71c32

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
117KB

MD5
94c80d5b9f13e40f7bd635f748915b1d

SHA1
f4b435aaf39a2acff04b61301b90872839709ebc

SHA256
61c38606f1606b79aaa82a3e7c982ed2a722cfa94543459da2a1e06a725ee82b

SHA512
15266015df0397d2c97dc158902f87f0e843d09462664fbdd9b11aa1cdc35709318c5264c6c58e58fd34cae045772d69bf6388f6f993b78e70aac6d69fc06c99

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
117KB

MD5
75fd72066b250338d88ab2948943d3e2

SHA1
38a7adcb14f2646d604a97c29e34341462c9de18

SHA256
8809051f3e53fe504278df17045a7e5d6053307af102672021de66d9b46264a1

SHA512
70cb453a5f57ebc171603c0e7b20c0ad30d71d1023316b7b52047f0da3cd4df840752d051a63c81a57fe04ca801acdec4676a9207cbb6ca372964529a4e44cb0

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
117KB

MD5
06bf78021203c4bf6ea2ed240d4df97e

SHA1
6b72befdf346bad6d6cededb13c9a053a084c801

SHA256
f64937541aa72b994ad9686e956ea9c76ef3cea638b3dd91e487f76319a92e8f

SHA512
408c164c87a4f78b977c8ae1aae8d4559cc8478103b35abd56106435dbf959a858c29fab82468f6dff92df380f65c7b4974cd85069326674fac6a2f0dc1a6990

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
117KB

MD5
be8680305ef7c558b4f550c3e67cd606

SHA1
c80da11afd1fb07a1a0e0e1671b851da5e05ed70

SHA256
3e37b352942cdb1ada4ed1405da91ef4223cc01471898429c5da04e6ba343947

SHA512
75d2a8e7f72351b7096ae46f07536ce1dd11b166fcc8a71581bf25f3df45d8229fd0afbfb314fa922b4d3e9cb67bc476870e532a6e27db9137893826cb0fccd2

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
117KB

MD5
cdffa79a86839e4aec34659f69f71d4e

SHA1
f38ab0ccb5b4eb18bce964bcc0f3d8a760322d37

SHA256
6f050b44a862edd0acabb5d0566a5e7fd99e50a8881a391730cfc7156183bfa8

SHA512
5a2c56c0679b16307fba7b510a842d54d4a08fc3bd7ff7bb622cf7b0f401c36cd3276983a58364bdc661ff48926781ab6b20ac69f360edc33e5526729fe29765

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
117KB

MD5
c411b3791a3033a5c5d7aaa8844dc7ff

SHA1
8c324a33ab141d5abac5ba02aef676c9dffdd8a8

SHA256
afd865eac440bd086ab196421afff153082d29a3eb3f9977405be8e02bb8f159

SHA512
db2001390a724e3856bcbe3e86296e6422010eca68cce17a2f958d3d1ee23f76f6c8fa72b17aab2d4a3144eda81a26ddd4ee901652bc4313452ae8a1429391dd

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
117KB

MD5
3b267b158a0c1a2519ff2db190e9c30a

SHA1
a10fed925c1b7f7092d863b6dce580b64ee5fa0b

SHA256
072f62a0a8c02336a745625d59e27660c4e71fd8bbd9dfd53468fe2209908e57

SHA512
70696d70fda95c4af00761781cec36c4627834b00dadb0c890c26eb382f3447d7b9c5f1c31243da4331f15166c046634ddeaa924c831a980ebeff416fddbf1c2

Download Submit
C:\Windows\SysWOW64\Fqjamcpe.dll

Filesize
7KB

MD5
ccad7743fee9e5af0107c79167ae03cf

SHA1
b04f491b82e9e1ea4cf59abd4685f6835c5c2d74

SHA256
003de7bdbe3ea8a0339b5c5d7af6087d665f4dba015117fdf09bbff9adbefaaa

SHA512
1500dd64e5285e12e07bc908c256e9003fd1fa467b9aed90f0c56ab7f12207e28145a03d2dd06dcb7180dae4c42b46e303c8339da1dea19f3fa7f8bc2144f4ab

Download Submit
memory/736-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/736-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3248-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3248-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3316-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3316-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads