berbew | 2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Size

96KB
MD5

a86b53c749b264104dd1311b49f7ba30
SHA1

45c0188aa96b0d87118d83d563d34b0bde503360
SHA256

2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045
SHA512

aee7708170b1433289a974982797ad080355570b220644b46449f88dd8183b37d611427cb9b5ed44efb83d55e9ffb9a906677441fb786b274210ed2d40b0ea9a
SSDEEP

1536:QaHsZLIJ3YTc8fThFIkHsAR4dN1CMqQa7fh2Lp7RZObZUUWaegPYA:RHsBgYZFFIOsu4XVa6pClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
1976	Bmpcfdmg.exe
5092	Bcjlcn32.exe
2724	Bnpppgdj.exe
3916	Bmbplc32.exe
1112	Bfkedibe.exe
3108	Bjfaeh32.exe
1968	Belebq32.exe
972	Cjinkg32.exe
2464	Cenahpha.exe
2432	Cfpnph32.exe
3924	Cmiflbel.exe
1972	Cdcoim32.exe
404	Cfbkeh32.exe
4316	Ceckcp32.exe
4700	Cfdhkhjj.exe
5004	Cmnpgb32.exe
4892	Cdhhdlid.exe
2456	Cnnlaehj.exe
4248	Cegdnopg.exe
4076	Dfiafg32.exe
4456	Dmcibama.exe
3964	Dhhnpjmh.exe
1476	Djgjlelk.exe
4432	Dmefhako.exe
2112	Delnin32.exe
4488	Dfnjafap.exe
4380	Deokon32.exe
3580	Dhmgki32.exe
4088	Daekdooc.exe
3520	Dhocqigp.exe
3556	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	3556	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1976	2840	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe	86
PID 2840 wrote to memory of 1976	2840	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe	86
PID 2840 wrote to memory of 1976	2840	2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe	86
PID 1976 wrote to memory of 5092	1976	Bmpcfdmg.exe	87
PID 1976 wrote to memory of 5092	1976	Bmpcfdmg.exe	87
PID 1976 wrote to memory of 5092	1976	Bmpcfdmg.exe	87
PID 5092 wrote to memory of 2724	5092	Bcjlcn32.exe	88
PID 5092 wrote to memory of 2724	5092	Bcjlcn32.exe	88
PID 5092 wrote to memory of 2724	5092	Bcjlcn32.exe	88
PID 2724 wrote to memory of 3916	2724	Bnpppgdj.exe	89
PID 2724 wrote to memory of 3916	2724	Bnpppgdj.exe	89
PID 2724 wrote to memory of 3916	2724	Bnpppgdj.exe	89
PID 3916 wrote to memory of 1112	3916	Bmbplc32.exe	90
PID 3916 wrote to memory of 1112	3916	Bmbplc32.exe	90
PID 3916 wrote to memory of 1112	3916	Bmbplc32.exe	90
PID 1112 wrote to memory of 3108	1112	Bfkedibe.exe	91
PID 1112 wrote to memory of 3108	1112	Bfkedibe.exe	91
PID 1112 wrote to memory of 3108	1112	Bfkedibe.exe	91
PID 3108 wrote to memory of 1968	3108	Bjfaeh32.exe	92
PID 3108 wrote to memory of 1968	3108	Bjfaeh32.exe	92
PID 3108 wrote to memory of 1968	3108	Bjfaeh32.exe	92
PID 1968 wrote to memory of 972	1968	Belebq32.exe	93
PID 1968 wrote to memory of 972	1968	Belebq32.exe	93
PID 1968 wrote to memory of 972	1968	Belebq32.exe	93
PID 972 wrote to memory of 2464	972	Cjinkg32.exe	94
PID 972 wrote to memory of 2464	972	Cjinkg32.exe	94
PID 972 wrote to memory of 2464	972	Cjinkg32.exe	94
PID 2464 wrote to memory of 2432	2464	Cenahpha.exe	95
PID 2464 wrote to memory of 2432	2464	Cenahpha.exe	95
PID 2464 wrote to memory of 2432	2464	Cenahpha.exe	95
PID 2432 wrote to memory of 3924	2432	Cfpnph32.exe	96
PID 2432 wrote to memory of 3924	2432	Cfpnph32.exe	96
PID 2432 wrote to memory of 3924	2432	Cfpnph32.exe	96
PID 3924 wrote to memory of 1972	3924	Cmiflbel.exe	97
PID 3924 wrote to memory of 1972	3924	Cmiflbel.exe	97
PID 3924 wrote to memory of 1972	3924	Cmiflbel.exe	97
PID 1972 wrote to memory of 404	1972	Cdcoim32.exe	98
PID 1972 wrote to memory of 404	1972	Cdcoim32.exe	98
PID 1972 wrote to memory of 404	1972	Cdcoim32.exe	98
PID 404 wrote to memory of 4316	404	Cfbkeh32.exe	99
PID 404 wrote to memory of 4316	404	Cfbkeh32.exe	99
PID 404 wrote to memory of 4316	404	Cfbkeh32.exe	99
PID 4316 wrote to memory of 4700	4316	Ceckcp32.exe	100
PID 4316 wrote to memory of 4700	4316	Ceckcp32.exe	100
PID 4316 wrote to memory of 4700	4316	Ceckcp32.exe	100
PID 4700 wrote to memory of 5004	4700	Cfdhkhjj.exe	101
PID 4700 wrote to memory of 5004	4700	Cfdhkhjj.exe	101
PID 4700 wrote to memory of 5004	4700	Cfdhkhjj.exe	101
PID 5004 wrote to memory of 4892	5004	Cmnpgb32.exe	103
PID 5004 wrote to memory of 4892	5004	Cmnpgb32.exe	103
PID 5004 wrote to memory of 4892	5004	Cmnpgb32.exe	103
PID 4892 wrote to memory of 2456	4892	Cdhhdlid.exe	104
PID 4892 wrote to memory of 2456	4892	Cdhhdlid.exe	104
PID 4892 wrote to memory of 2456	4892	Cdhhdlid.exe	104
PID 2456 wrote to memory of 4248	2456	Cnnlaehj.exe	105
PID 2456 wrote to memory of 4248	2456	Cnnlaehj.exe	105
PID 2456 wrote to memory of 4248	2456	Cnnlaehj.exe	105
PID 4248 wrote to memory of 4076	4248	Cegdnopg.exe	106
PID 4248 wrote to memory of 4076	4248	Cegdnopg.exe	106
PID 4248 wrote to memory of 4076	4248	Cegdnopg.exe	106
PID 4076 wrote to memory of 4456	4076	Dfiafg32.exe	107
PID 4076 wrote to memory of 4456	4076	Dfiafg32.exe	107
PID 4076 wrote to memory of 4456	4076	Dfiafg32.exe	107
PID 4456 wrote to memory of 3964	4456	Dmcibama.exe	108

C:\Users\Admin\AppData\Local\Temp\2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe
"C:\Users\Admin\AppData\Local\Temp\2190538845d1468cb0c161f77456da4cf2e88c2662271521340ff52cc374c045N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Bmpcfdmg.exe
  C:\Windows\system32\Bmpcfdmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\Bcjlcn32.exe
    C:\Windows\system32\Bcjlcn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\Bnpppgdj.exe
      C:\Windows\system32\Bnpppgdj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 396
        33⤵
        Program crash
        
        PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3556 -ip 3556
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
56b568d2a24438a5c84894c71d364042

SHA1
e7557d6f5a2e1d73ac6ae59f0a1749ae298f7060

SHA256
1716831747a90db335f74dd2aa9756d7eef98f8ce70c5d51c7dfe11e647b1909

SHA512
6c88f549006d2f5333bffc5b9ad9582fdf059bf498308389fcd044ab45393983e01fabd3f5dd1ee43377a6ae016a3b0dab4403c88319b0a3e7692da3a56a67e6

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
d1f076000f1e500f3c9b0ff4f3695c0e

SHA1
df0f750c34323110a0091d72a8bbb1e5bea97ae8

SHA256
651809ffd8d06a6fd2c23278edfb62b20450d6c0dfa0cb9331bbc4660200b746

SHA512
16f4e542268561a94056722b98a7ea2c900367e3966c03541cd133a0849568e7e544447bfe1ea0e2b43b9ec7e8a4665677754ff7891a156086e6b38b6833bbdc

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
96KB

MD5
83508198e927314e6683fe5120f7196b

SHA1
78768ba7c5ab3c018e93337c8dade924b736a360

SHA256
cd7c90439676e5e560074b885be86f215aab1765977fdb4983ac075f79eb8d14

SHA512
83b4b3350d03bc564cc6881ab4fc07efaf4f84b9d5be2fec99487b4186a2628218d67181db795462a4cc34b5d6e2e325019c336d638877f620f733510745e56d

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
4e265a5556f030003b2a922991408f26

SHA1
ff81263cbb5474316fed528065c1166f66891b90

SHA256
bb7cdb463ff4bca2937f9dd66dea00bd5e76dc69894c9019dc42a92ad64e8f74

SHA512
819471fb53279db2c1c479291afbb6b46a24db8bf9dc61263f2c5f1a0c1fdc093b76b7f0b6daf99d38572341b10ff56fea2d9cbaac72287ae842468d52aeab77

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
579ade5131f7e9a407b766592ed5ed7f

SHA1
4ea9b403dbc8d776d19e1a3a35eb3c710da748a3

SHA256
4b20d860d8c02b7cf0ebf5a6c0b740c0437076a306dc8f5c2d733071192f1e97

SHA512
120fc3bc20b41a972650dfa95cb500f4a4190943032c2a613a0da4ca08055a38734dad19f8ae4de8af5167545d83c6d34f89dbda1b23e79afc60807476db9f2c

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
ea7530b6ae106f98fa55d8c4658a00ee

SHA1
d13d09a7068af2b23a697a234e8762f1ea602530

SHA256
f3a5989c278aff8bb8e3340dab6774a78cd8648e2b99dbe006d62c6e9d1d24c9

SHA512
77494180cbadb53f0b9ac71a14ec834f4ebe1c1bd1ba223e62c6934c4510edca29e42c92a148c2647e6a7936158525bb4199c7ade6403d7904b8281c99d27506

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
e156ef3c41de4c872560453133801cb5

SHA1
23ea43dd9cab0d4d95d984621ef9e09efbff2e8a

SHA256
1e9990d7c9d2619e1dba0be0822d6d1b395f9dbfc822078fcc11e7afb7a15d5f

SHA512
b2d6a83f4ec0e48f3d633938e6b3dc21bb5c593c9fb6dac0379343cfac937e0e8ee380bef430b06a4196a7c642c687b620ef1902a15794f932257adaf8fb1309

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
8a8ff1103d0ebd2fe634d47eb2ad9ab3

SHA1
df93deeafa227b27a82b4b583a5c66925004e33b

SHA256
d5949e9415eb12daadb14d852bc6d5bf88d50ad75b136396e6697c17e40f0a34

SHA512
1d8b7674643c5f68bf9b411bfa3ace473c3e07eb90d7352ce5d9ee72916707aeeeb4cd32f889af6691bb5863863154549058d4ab55f3b7ad52030c43bd365be5

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
d177461c990b8188e63100ced5de02b0

SHA1
3039cbe8f4f1a4d13c0c94f6d36b077901747dfc

SHA256
13742107025d7ac411b155a00ce78a4bf71626c6f538879bbfc9355b99feeb1b

SHA512
003f403666c06f430f8ee6c8d5e24b4beaa11b51b5407d7472ce462a8137ad4d726572a688707cfeee281acaca74eec71201cd8c8b0936b21770f845ee71f5f3

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
bb5cb3ef040f4307b20d3c9f441d0e52

SHA1
6ca1c4ac9f2131aed1d2feb4407b4106fb1164a3

SHA256
d88336f913ad0af759bec2d8693d900f81e54fa31b982998436b6e0b329c6219

SHA512
52f0f53be98e8a781453698330e5abdc4fc29e9c2a8c6b6f2fa5e462ca06f5223ab6fad30cc23be02fbec7abd3767afd41cb019651cb07810ce49b68a991edab

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
1cb60f32584688df5f4098f243496922

SHA1
0d3a13782c5b352b8fb2a0516b2863131c9044fe

SHA256
77f8c27c231d3d021dc3823bd0a6d4ffae78c8ff2b46a23234a037cebb09bfcc

SHA512
d7153b28560e89e4f97e964d0d8363bc7a06c15eb580a66ccefa2261c17a2e400daba40aad2b6560f650cd01153f28e05d98457cc869c33f2dfa4e18744aac4e

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
fffd1569c7712523558c0fb0f0e77788

SHA1
3f9cf5ecb76de1b6b993c7f4c297357eb9881bc0

SHA256
58a405a54aaab9789c5d364bad01693b78f90ad044ec60b19912358eba9bec8f

SHA512
dfb219be5b81cf1cdeb356d2d410a1992ca4ad99c200dadb5359be47a8dd12c3e181bdf4c9caecc8be0b6313cee11198e37d9ef503c8f5fc33bf63a91af8e664

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
9a6958c0b9f9f3a2d59828afd078bb6a

SHA1
cc42586d02b021d7c2b829a417e23c06acc0a509

SHA256
c6031696d7684ee560853fe4218584a40fb34ba4f6f8098580af0825099caf4b

SHA512
5a213200f997fb671bc232222bda5df01e6c7c9e73917a09966fb2e16d10cb416dc3f674d1d2a1aceb4caa5b407d695863a64ba30200da5669ca8c8785f13377

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
3ad55be55fe0288c795cdb09f2e352b9

SHA1
e6fc4f3b66c66dd92f0d26e83168fb513fdc6967

SHA256
0a2522b30eb8f7b4cd0e5e9886b3a859b50a93d9b67a30fe7054f4c550420bb6

SHA512
02d8a4f17f23388e45a4d3b6f97aa9b0efd7e8b20d5f2eb5d5b3dc181624dca42c5ed515ecaa4474323b75f425b240532c423e41a6733500b7173ba2ce38d60f

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
048acb990de1b4a728eed917c370176e

SHA1
4abc170b8533de06aa5439b5d5bf42a4c0fcf6db

SHA256
f55747f86d47901bd67230979fb0ba27f5b42c96a1dc7a80a214e4f42c3c2ec6

SHA512
88978879f1520c78ab4b2299f1b520eafd206da43d1a9426fd02e9b45aea76b3e19a4e2621054876a4fea4c72ea9bfa16b5e9e598723000586b95a3c67917038

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
5de2ac6eb813014bf5853fd44702db6b

SHA1
11d83209ed74c2d0b74319ce4be2ae452374c2c6

SHA256
1b9a978dfdec7b46dd01ed796e01d10c76c05b22d8da3f719645c44020bb318c

SHA512
f8b2f3a98530ea51e7888016bc25db0d7b2493dde6a69a6212ed1cacbf38453bc4da0f8055940d374a9c631347d69a198cb48a878cdedc98574c4ce7653b1a6f

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
9483e20045570457951031f2e5cc145b

SHA1
4c8420301f5c43daadcf3cb001e87f164f51a846

SHA256
e26300eb0d271f4535f15441f8da58a1f1692a5592b09ffaf3ed6c7f1e2aa25c

SHA512
d24d734d9251c412d19528000013dd0c86aeffa00d1b506daaf57fcd9c1ac1218a59ffceebc7e8a13177304a8e73a5cb7ed8edb6581b540c8fc3fbacb296d96e

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
2a8abc28736f6730056bb370d5b04045

SHA1
a255260c5da865d29a5a7e760bc5742197feb705

SHA256
cab904e834fe5454d451840e60ee9833ceda50fc82327b23aefb48f5fd87a370

SHA512
77b2651279eb393dc06d8cc93e4c9639c81edff598cfb443002ab4894e067a2f81019bf3799ab6d6de8a1ea65fb4103554dd6fd6dcd09de7c46f570b7b41b01f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
4a57a2c56e1e492669effab675d41535

SHA1
8f0a9d3189e9e3dc070117ca0e679b56e91e3434

SHA256
ef3728fa0f3e90360b128b8320c9c895d48aca9071ff838148d9883f008f4663

SHA512
8fc3cc3c90b2bebaeafb01958031b6e6ab329d034c5283d8ca35656ddc6947dad14480dbd3f41eca0e35d314139ff4578d30aadfa31dc8c6ce6c80d93a18c22d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
3008ac0e63e8cd827697edd213a8382f

SHA1
fdaaa6890304ee1ec5173faadbfdbaeeac54b4c1

SHA256
aea874468042472693eb2313bf236d267df92fc9c8cccb63d30c4b87a0ad5c77

SHA512
113faedb895524ea76502b6aa0257dfad8f3342e99f9c754d656e5f45794460ee25c033d0003b2e19f701d128b5894bf19b4aa2ad0ffdfb7df4a939dd6076788

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
6268446f8bbe0cd33edc3e10919e53c5

SHA1
74b0762e1f2672f8f542596f10258daece5c86bf

SHA256
8ab8d67d056b522afdbbcc903e6f1a7391dae093df8045ba38f5443b61e97751

SHA512
f9d57d4f37960d3d14ddc83ccca6e28724cf8fd4c1fb5c84b41e67cb58671b939bb56ec7fc3a2e078a952dd26815e750c30d969c5597f84dd1485c4b7cda5b17

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
3618d4a9b02f0164ee0da1af44552b6b

SHA1
951381e0fc1d7d08d6739c89c1007d4d169f3897

SHA256
b2b0ba33fa111263552852eeb37628181d7ad8506a72e139cc72e14e7d5e6700

SHA512
354e6735975c164fbb5c26229a52a46e6dd6603a150b5c17e35a3cc83faf60d57603e16227fde8a9c59e763d2b986ff316a010faa8985782fee68598aa69f209

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
5378c276019e76ef688274f2c109c818

SHA1
5c1014df5642d53fe84f318934732c68ec85dbaf

SHA256
185316940a85c8dcf80d64876f4c03c868f9d2669044203d39e205a3f9f2561f

SHA512
f44bbbbdc4e4d84e088840e03805dd58bc06530e38cbe559c6286987b156ac4f3206050ec9819f351084155744e85fb42e36ec2043a5732c5927f6b87b864984

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
e048cc1ccf962c85914a8e94acac6f27

SHA1
47a49b76e6ef7d90a66312e0df8f6546812f43e5

SHA256
c581c4207a646bfb4980bc26e852983dda70274e79aa686419765f74cd211e80

SHA512
15512ac0845a7f61d962ec3db720027bcb60fcfe1bf21ded7cc7bc8643cc26059fc9463d4ba8018ac9f652210275449680e4a1e99bd65850e9430fe0a3b74c7e

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
e1c961ceeb9e98d400e2b37904bcb913

SHA1
baa3a37cbb7ae2a65d846a6bd42ce355c3e19122

SHA256
0bce0fa6bbdee7a0065da9868203df493e82b0a471e95a800bc8c262fd6be0f9

SHA512
fca01e89fb00ee604c196024e267da980623687d1102c43b247b0fe8085a76d8b59ad2a6dfc1429a049d99cff566be6cc8b94230eff5c7103cf423b715fe2784

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
7ebab0f1befdb5b7d1aac546cf886129

SHA1
503c1a97c38e3893dbfddf2f2a4639c31e90aede

SHA256
9d5cb181c8fe7fe0c208bffc73c0b7d03e1d0b020e60d16fa048e08ff4bb9407

SHA512
d85388bc7437419ccfa6dfa999124581047d7151a11f372187b70381b5c3afe012ff3060e877e858850246624dd19b81297be3cd22e3085eb24fc28b5a1c5c59

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
5bca10d8cedee430e9c6b92a8c3f7dc7

SHA1
4dfd50614c6f2448c8bd7a773a4ac77f7865bc18

SHA256
c21816b3c24bf455325289d6710bece2a00f8dcdf60a582a93eb74e05ad0ae6c

SHA512
b2d9d969cc960f697fda0d7b4f196f72ee0bb23cd5b892cb30c727ebcb39980e1048a0e42f96bd1ee98a1ba9b5699ad2e3cdc06e4e9ab3f7c55eeff28806ed0a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
08236f78860c3f9458e1ca4de2af3f94

SHA1
c4740a9ae6e24af05149eafc677bddc276878a65

SHA256
7a35190d4256a83ee6d4ceaf64dc5abcee023b9f0270c7870f7dc677ad3654a5

SHA512
fa1c55a7f6037ef3d0705e457732691261b516dd1187b914a4de5998ebf79157f4348e6dab1dc3bcb72038759ea18c546d7ec6aa07a880a6dfadfe82526cad9c

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
6c09e70c95d05af2a367254f50a2a6ea

SHA1
f47c1819d579887942d17a0265c79bb655b6d65e

SHA256
becbe5a7d38f1f925f85c7d6c7bb4750e2956d817ad1ee26f37d722b29cc3699

SHA512
f315f5b221ee18a486ab83ef40f1c1337badb1de71c7bcb092331b9659a0970139c97d7b1c43d9ed0475c53993158fdc44ce1adbc88bfb255a7460b11d1eac5b

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
1d9b93cdda6cf49500d9c084e8a63391

SHA1
3302f7d659eadd0ef19e043b7c3e93ed7ddf26e5

SHA256
9753a5fa6112d03f92421e61cb9e8bd75a8e0116d06da7077ad16bbd6b60ea77

SHA512
bf5851fba207a4a1e95de3e4deac1992b46d267c9f6dacc613d037a1dc4fcc0d902bf1de5a5e3fc04cde490fd0a999088f9274816c89b72318de0875b858da80

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
d23cdbb3e3548b900f55474ba67860b1

SHA1
2e18b525c1570fec2999609473d055b491b428a8

SHA256
023911f3a9bc8bf03d61f38b271cd205ead8d056e40e6c5aa1f7c19e823d89a6

SHA512
9466385f089df277fadf5404f74aa2ab43f3b337feea1f318180e47085fddd8bbb134a0b8a150e11b60310d3061c3f12c06271bb7faa542fd115ea8e6e8e8744

Download Submit
memory/404-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2840-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads