berbew | 2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Size

74KB
MD5

b1a15a030c3afd149f660931ec6b3657
SHA1

3063b9026799f0d92cec27c617561b5815c064d1
SHA256

2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6
SHA512

f4749ee2c64f4c72f200d6628a1342e08f4dc839992d0e3170a127fd700c66ad12233ab1e707bcf0e99c386452a0ed8af2ff4fe76bc8b61c40a7fc4cb8919395
SSDEEP

1536:mfWhRZHdOTvCvSlgUwSuayG3OwrKUVplX6rHb3H/D//HHH4Ymy:m+/FalwzayGeYzk7kYmy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
4976	Bnbmefbg.exe
4456	Bapiabak.exe
3988	Bcoenmao.exe
4396	Cndikf32.exe
4220	Cabfga32.exe
2864	Cdabcm32.exe
3220	Cfpnph32.exe
552	Cmiflbel.exe
3660	Ceqnmpfo.exe
1892	Cfbkeh32.exe
1516	Cnicfe32.exe
60	Ceckcp32.exe
3600	Cfdhkhjj.exe
4708	Cajlhqjp.exe
4540	Cdhhdlid.exe
4616	Cffdpghg.exe
3316	Cmqmma32.exe
1100	Calhnpgn.exe
3716	Dhfajjoj.exe
3172	Dopigd32.exe
4188	Dejacond.exe
1844	Dfknkg32.exe
1200	Dobfld32.exe
3120	Daqbip32.exe
4736	Dhkjej32.exe
2276	Dfnjafap.exe
1056	Dodbbdbb.exe
4324	Deokon32.exe
1000	Dogogcpo.exe
544	Dmjocp32.exe
2996	Deagdn32.exe
584	Dgbdlf32.exe
2172	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1796	2172	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4976	3492	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe	83
PID 3492 wrote to memory of 4976	3492	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe	83
PID 3492 wrote to memory of 4976	3492	2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe	83
PID 4976 wrote to memory of 4456	4976	Bnbmefbg.exe	84
PID 4976 wrote to memory of 4456	4976	Bnbmefbg.exe	84
PID 4976 wrote to memory of 4456	4976	Bnbmefbg.exe	84
PID 4456 wrote to memory of 3988	4456	Bapiabak.exe	85
PID 4456 wrote to memory of 3988	4456	Bapiabak.exe	85
PID 4456 wrote to memory of 3988	4456	Bapiabak.exe	85
PID 3988 wrote to memory of 4396	3988	Bcoenmao.exe	86
PID 3988 wrote to memory of 4396	3988	Bcoenmao.exe	86
PID 3988 wrote to memory of 4396	3988	Bcoenmao.exe	86
PID 4396 wrote to memory of 4220	4396	Cndikf32.exe	87
PID 4396 wrote to memory of 4220	4396	Cndikf32.exe	87
PID 4396 wrote to memory of 4220	4396	Cndikf32.exe	87
PID 4220 wrote to memory of 2864	4220	Cabfga32.exe	88
PID 4220 wrote to memory of 2864	4220	Cabfga32.exe	88
PID 4220 wrote to memory of 2864	4220	Cabfga32.exe	88
PID 2864 wrote to memory of 3220	2864	Cdabcm32.exe	89
PID 2864 wrote to memory of 3220	2864	Cdabcm32.exe	89
PID 2864 wrote to memory of 3220	2864	Cdabcm32.exe	89
PID 3220 wrote to memory of 552	3220	Cfpnph32.exe	91
PID 3220 wrote to memory of 552	3220	Cfpnph32.exe	91
PID 3220 wrote to memory of 552	3220	Cfpnph32.exe	91
PID 552 wrote to memory of 3660	552	Cmiflbel.exe	92
PID 552 wrote to memory of 3660	552	Cmiflbel.exe	92
PID 552 wrote to memory of 3660	552	Cmiflbel.exe	92
PID 3660 wrote to memory of 1892	3660	Ceqnmpfo.exe	93
PID 3660 wrote to memory of 1892	3660	Ceqnmpfo.exe	93
PID 3660 wrote to memory of 1892	3660	Ceqnmpfo.exe	93
PID 1892 wrote to memory of 1516	1892	Cfbkeh32.exe	94
PID 1892 wrote to memory of 1516	1892	Cfbkeh32.exe	94
PID 1892 wrote to memory of 1516	1892	Cfbkeh32.exe	94
PID 1516 wrote to memory of 60	1516	Cnicfe32.exe	95
PID 1516 wrote to memory of 60	1516	Cnicfe32.exe	95
PID 1516 wrote to memory of 60	1516	Cnicfe32.exe	95
PID 60 wrote to memory of 3600	60	Ceckcp32.exe	96
PID 60 wrote to memory of 3600	60	Ceckcp32.exe	96
PID 60 wrote to memory of 3600	60	Ceckcp32.exe	96
PID 3600 wrote to memory of 4708	3600	Cfdhkhjj.exe	97
PID 3600 wrote to memory of 4708	3600	Cfdhkhjj.exe	97
PID 3600 wrote to memory of 4708	3600	Cfdhkhjj.exe	97
PID 4708 wrote to memory of 4540	4708	Cajlhqjp.exe	98
PID 4708 wrote to memory of 4540	4708	Cajlhqjp.exe	98
PID 4708 wrote to memory of 4540	4708	Cajlhqjp.exe	98
PID 4540 wrote to memory of 4616	4540	Cdhhdlid.exe	99
PID 4540 wrote to memory of 4616	4540	Cdhhdlid.exe	99
PID 4540 wrote to memory of 4616	4540	Cdhhdlid.exe	99
PID 4616 wrote to memory of 3316	4616	Cffdpghg.exe	101
PID 4616 wrote to memory of 3316	4616	Cffdpghg.exe	101
PID 4616 wrote to memory of 3316	4616	Cffdpghg.exe	101
PID 3316 wrote to memory of 1100	3316	Cmqmma32.exe	102
PID 3316 wrote to memory of 1100	3316	Cmqmma32.exe	102
PID 3316 wrote to memory of 1100	3316	Cmqmma32.exe	102
PID 1100 wrote to memory of 3716	1100	Calhnpgn.exe	103
PID 1100 wrote to memory of 3716	1100	Calhnpgn.exe	103
PID 1100 wrote to memory of 3716	1100	Calhnpgn.exe	103
PID 3716 wrote to memory of 3172	3716	Dhfajjoj.exe	104
PID 3716 wrote to memory of 3172	3716	Dhfajjoj.exe	104
PID 3716 wrote to memory of 3172	3716	Dhfajjoj.exe	104
PID 3172 wrote to memory of 4188	3172	Dopigd32.exe	105
PID 3172 wrote to memory of 4188	3172	Dopigd32.exe	105
PID 3172 wrote to memory of 4188	3172	Dopigd32.exe	105
PID 4188 wrote to memory of 1844	4188	Dejacond.exe	106

C:\Users\Admin\AppData\Local\Temp\2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe
"C:\Users\Admin\AppData\Local\Temp\2bb1d863e88084994fbe6aebe1b73cee82fa34b33e827960d42d31624a4b7cf6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\Bnbmefbg.exe
  C:\Windows\system32\Bnbmefbg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\Bapiabak.exe
    C:\Windows\system32\Bapiabak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\Bcoenmao.exe
      C:\Windows\system32\Bcoenmao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 408
        35⤵
        Program crash
        
        PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2172 -ip 2172
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
74KB

MD5
8e5ac5c8402065641c2989670bce5b25

SHA1
3fae0167295e8139a111cad74f3c3dae4a0de286

SHA256
6064e888810056c77618a23804628caf9fbf91b8cb45e6a3562208434748d35a

SHA512
55be8e8d25a54603ffb90c91361ea6d4c155fec9f0b27ff49b09ddfebdb43a757bd013c1ef3b2588cff11e4219f6b3e528d9888a5a0fb51180ed3f227aea4399

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
74KB

MD5
ffc25a8c8e8608acacdaaae890687c37

SHA1
f77ba8a264fd4398c39c5253a1816e56d3895935

SHA256
d31c173f67cbd6f26fb722b5194bf2dd263c39050a190eff2a378f90f693e6a4

SHA512
ff7d3994e9744142f145498c2ddc66f95ca5ed123f3c7aa361a5e9ef0fd316bd3a5b3a7e29fd70d840b42d28d2f5ad6b44732a70e910b17d106b7b2fbd0d24c4

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
74KB

MD5
6a3b5b3a17acc90c8bdc4b777da9967b

SHA1
ae10dbf70fc89d1e3a630acd43d96e1a185bb6c4

SHA256
6b62d8d909a465e78bfbea46e654f07ab0d8dcdb0ead0c24c2d00630e9af8815

SHA512
87eea5b4ea04aaed5c264bbf99ba4f90a3aeeae6f1e257eced408fd9e52943f250361705b902afc20b3d21cda58d4168bfbde8650f2665fcd077644c642ba017

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
74KB

MD5
2d9947fa92787024b19789086374fd1b

SHA1
c50037cbbee062611293d11bfc2e0684f7da2176

SHA256
a1959fa22b3f0106d89ae7c22844e7da6db65cc56c462657bdc5f75c0212566e

SHA512
3963040ef35b6958c6ddd1705de144e5617e35aa1864c275d5413d8ac2c8f237ff1fdeffe3385a4647734d8890080fcc8fe9d13cb5d59a38ac3d92d0285a36ae

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
74KB

MD5
345e976791c9cfc66c0ac07a8a4cc6b6

SHA1
e4be0f47bc16902720fcec34b522004008eec87b

SHA256
f692e562eb361b00c68d2d42a71653b169cc1a1ac0599c69458993fad0d22300

SHA512
f9d477b702a2313c9f832030efd7e054bb179fa0edfa4d6c430c26a30202a6bf5c1ac25261256623aa59a974f46c2d6080878d374c46c8d6077915646a81275d

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
74KB

MD5
e081540ee4aa7b3c01bc1ce90a3dca78

SHA1
927e0bb764c9870c9270e8a23c5557702e10b88f

SHA256
6c053ac924d2e12e2e3473709d4c696ca5d982709df939ffc4164fbdf894c55f

SHA512
350fa6e38426c79cba925dcc77f5f78dd94901173df63644f2bcb9b4223e16b4dc8dbdf807f977ecae2027863607e453474f1dbe4178d3b5d6dffe81cf22ab10

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
74KB

MD5
cf9f0f930b6a550962e8ea9afd20d9a7

SHA1
ad281910003479e6c7636e0fa25aab73ae78dcf5

SHA256
0ab8a533b1d7461a10c6ff84990f7a94af7c908f513777a2c7170ecf63871ec8

SHA512
67f66e52c2cf8143036487172c290593b7e5ec27582ccd925252810603dc450671265291605fcbb2344a7f3724abc9056911d9a3081dd8e9a3ded190185240d3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
74KB

MD5
ee66a1bf88cb49207128215d51549359

SHA1
2c18c722bf97b1e36413b309716394c0688aa03f

SHA256
0b272ddffa1b0a32693eeb1c3e72e2011d61a59e86d026b091daa1f030f13c55

SHA512
d9440e6bfde2acd38aeeb6386594f84a7bcd3feeebcaa5ebd8a1cf29c76633cf39fff81d79cd326fb825e538210cf9c73e2aea66eed187a3b933a02bdb2d6439

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
7071af863495770f262f0bd8430d51b4

SHA1
93b4c9621c66cfa61a82f9de2d4d2aa9cffaf532

SHA256
42af05c8ece7cc44fc20302a92000bc4ee0614efc419b4906acfda892d067f22

SHA512
c7f06651ca5f2ebede0e8b97a9074588c6f1dad8dc64c7b4e2fe2548ac08a96b2e1c65f297a42e7e198ad8c87d23c31ef1276982cf16f29a827c785413e36149

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
74KB

MD5
4d3e54fe743a2ddfbbb7c2d56d2595e6

SHA1
fe9381fda08800cf04459d681a88309b0094f8de

SHA256
5f3f714b34fec39eb9b726405f79037b4140cb2bbd8ce546624b058a7793cead

SHA512
1e952d07b4ae9bd01bafb42c1dc3ff05c706ef80611d0469d4f3cb022bc596ad52717a85057ede4a8cc929074a065e55dc2381dc427076e00ca6664944f15377

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
74KB

MD5
2ce9819920cbee48b6d067d7d51565ad

SHA1
aff8fc82cdef12c1f390433f7907b0af984ffba3

SHA256
90f835c8d765906dc824119ad2c7461c1ad3051baa7d0dd9eb260c0301dc6def

SHA512
6b224cc127415057ec3692fe10a1d69591e8517a74867163bbd41253eb525c0d83eeb93389566c0658c714a8348ca9cd198aa6cd1509f76667ab00f091d3e901

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
74KB

MD5
2c3e27f0de4d0f9a6ab1cff0796ea530

SHA1
d99b79e1ac39021929df8aaf6cf6308af74fd35b

SHA256
14ec0a95a42d17ff72f4352c173b38bb0d39fdc4c4b01d6ef1e125e6ec880887

SHA512
47f3608bcde78a75553b1890d4254d722ac9e8eea6b2ba027de67b7004252735f6fe18596619b1ce4d31025749514240753f9d0d08d999d0cb7ef7423b445c8e

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
74KB

MD5
7d01519504d49f6745310ee1e57d5cd5

SHA1
429a8575f3f8c9acdc0959daaaf8b7349214b9a9

SHA256
2ec9b27688cd881a2cf8cc82701e41eed2d5319162225aa98e1343f5c65065cf

SHA512
31d3e17a2579c24f129a70b1e137beb0b2ee51785b2ad01087e855027ace42e8c364ca411df95c5cdf5361e26356938a4a300a5249316b01cfd19ce3ff578fca

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
74KB

MD5
712936622df36cc7bf5f7818c718208f

SHA1
5fcf4b57d665072958649a4097080137d868f54a

SHA256
8e3dfd714a284252c25d88acac95951fcc959dfb1aba91b03eca12f1aab81b58

SHA512
13a8abf6464a8f64f0b7245f56788063fb4fc05ba0130f45d23c6300bcd7c13b4a200b2f3a942be51c8124dae0fd4f22cc8ba6026e7aed23bd43779619883521

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
74KB

MD5
10cf5149dd99956ed2078fff818915a9

SHA1
04bedd4e8125ad63b835d43ea30e35bbe3016bc4

SHA256
0fda5576057431a54992dc6a0ba1a37dbec6a493ec52da6869d8397dec83de38

SHA512
c4249e69156c7acb987ef79446b2d5545244b7e0451c021c6d8ff7cb5775820f258de6dadaf0fc25d97a1822c61cdf8d638a0ac0d35c0fbb31fc3e0205fb271b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
65cb84d10ccacfbc393b84f7cb4d1cb1

SHA1
f25075c584b1678283e4a805dee1d40a515fb401

SHA256
4d90a67b61f846fe413c73b96c2f0f4434a9e64c7c003e9ea145ad2b0509ffed

SHA512
bb4b149b384615cd76232dda124f30e22e3fc0a2614da4cfe3172de0c2ab8a5a5b69acb4617c6827600e3f3cf304f981100494c53f7701325ac2468e89073d30

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
74KB

MD5
d3352ce42c8c849568a9c2e2f940d343

SHA1
f8ac4798f06d5ccb92b0a1867b0601e0ad3c732c

SHA256
46e0cb968f4f2768def39bb6edb00c3fd21566a1dc823dcd5d3cce3f06897afd

SHA512
bf654ae9b35f7908d388ded9649605161f48c731167854edf98d6cb2e772c41904b52cf335559cd58e9a6b3d11c94cba9a62db93ccf532cc762b3db0a750c6f5

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
74KB

MD5
97d7c3d3fd3412ea4d0e0a60076d631f

SHA1
ff8051b9af2946d4a4507f745cc8d6f3d7c516b0

SHA256
5457b38b1cb651c46353d4932a38871df057c6406b3fb13a45a9336838ada3d7

SHA512
89f01b5142dccd6da6014413313bda19615b7636ac211ea3430e5c2d5cd7425c69546563138d4f641d5db516296e5f363929a3f4112dfd0fd8e320a572f746e1

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
74KB

MD5
88141d62bc988541d4c3c2a8d8428fec

SHA1
d02e87870e43985fccdf07856a5fd5853d4d9dda

SHA256
04e6737cba4c7e997ba125e61e200508f7d02e6118152988ec589b9050d3836e

SHA512
9b0bb707550f1c192a7a09084dc8024de643b4130fb43b147b69ed1a17a9933981293baca86b736305a96754137321cb8783b0dee47cbcc7db698c7291185d39

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
74KB

MD5
f17378cb0f4e558c64155098c48a2b8b

SHA1
3afbc675158d08b4408b5c97f94ba0910c93a688

SHA256
9e9b78ff0abe7f9ac56326838ac0e8b7eecce55b8e3cc2250ebddf94ec4f0e04

SHA512
00f0f21e31089b465745d16fc48ae49e5bcb0b9e0053dbb304708c8243ef99a5933eab5b547bb3dec78deb8e7e0833c072302373b973a2cc75f0951a68b91b15

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
74KB

MD5
4abf79f5f325f91126739dfbfebe8d4a

SHA1
dffb4db2e4fafa674d2ac1118df76c0139718024

SHA256
b2d4af5ee04b7210205edcc81511b8f1a902236639c43f76e70c9c630e1213c1

SHA512
47d83ad29de9d95412eeff25de3704f1f3f2a8494bbe2a84ace43d743575967d841b0534814c681d33a5ffa214efa409e79eb7bb11144e59847746aa73d2069b

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
74KB

MD5
c346ba81deb126f1c2305a6f631cb5ec

SHA1
29d44032e642df29231bc90133e7392a66fcdab9

SHA256
f6865596362dfa60dcc5d4c3c238497b4447db57072f6f3ad6ec6c25eedfe2ec

SHA512
11862db061bf1071801ff75a5c36a10d17ec426a5b2009b684cb442826459436e27a76d5c9fb5cb997aad38394fc5face2ae50cf82659f136e9a557e1c9c9388

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
74KB

MD5
d524b1f3023f3ba285364eaf75a3bb69

SHA1
692e6649539de3b938cb21e6babd37eee45da828

SHA256
856ceadf7b5c133df0f92a5a40744e0a92d550b55dd0e1609e541948d9d517bd

SHA512
551e8d83b580decb325977de7543d5088d219badb3e500a0a6384bbaaa87679537090a430417e97999cc7b538e2cdbcf70c37d91c4c17fcc7b13f5b89cae49c8

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
74KB

MD5
f6ad2f97eb8e39e34ea48d1db20152a2

SHA1
6fb513132cf1cf1ab5f408f3e9a9d00de7d0b252

SHA256
571f226476805262dd8240e9431a40e49f989f25998ef178c6645ec1a7f63e5e

SHA512
7746c060387235d05585182b5f64cd4da4a5ad89ce85db0c98016b4c58c2b198e312f00fd7350708cc4e9dd5d110a019f4ee37ce5a0f0124ac6525471d5c7ab4

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
74KB

MD5
273f83087e9d09891edc17928a076ec3

SHA1
eeca10b0063e76c65b7df56cd1a70a3de5a9f632

SHA256
987374c764d9b0d1876364673048acc54246171ba5f6d707fd55c30852c7d78a

SHA512
ce1e4bac1877e8cd927f7ea5961322855637201551f6b9f0f3501465c855c9f5b20cc917c78a36849d9e7b013b5d61271fdb5fc8e2c2cf326e584c6e092c7a3b

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
74KB

MD5
f761aaba5dd0d09fa708aa7bf2d8ea26

SHA1
508655e93ab44bf4f2d695c3852dc0a88e33d5af

SHA256
419bc61601909d66b9bfd35807f8bbc9652c682a373d5f81c608a69a4ce868cf

SHA512
bdd0d1a29d3d1d4cfe479eda8300b6a6e1d48099ea23f037e0e893bdeb86a7bc452d3ce19a2f557eb1ade1b47cf72467e6ec59254e2ed4c3777961c21379b36c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
74KB

MD5
f94f50432f2f9445f05af0155dd69307

SHA1
73d7aa10fa2e85722733b2b0767dffee400c8c48

SHA256
897e97c60352206449368fcda86de7a49569fb805a08e976fb23898789476193

SHA512
768cab115b1bf6f8bef6a05f16f26c1626a368e9d9505bdef246345682043f6e70dbe35dbb3e2cb8dada9d27c757bd13f032892197b6461bb8e481bd28793417

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
74KB

MD5
0f4fdcef3499c957ee974019811a081d

SHA1
7474f1be920fea3507f23639c776712a44a76919

SHA256
ec761b82c0777496fc6722c8a59e84ce52dc2c5f392b5b329791900dfefb3620

SHA512
e0e89387234a1a7b75bf7276e592405bcb30958bbeefcc9ef26ce916d5df688c9f0f6c788cc42004b628b827e5c96413f99108f3e3ef6eafe81840c650b6bf01

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
74KB

MD5
773f5e41161077c6a036cea6b7b0a191

SHA1
4857002cd50f859101fbe3bf210189174a4e9210

SHA256
3a68436ad69b0d63df6bf3c8bd85fed7aee199ace0f7ae755bfc1fdca3dd0c78

SHA512
740482bc7abaaf6691a65fead7a9f017b9477ba26b59789283960cb8d5ce72a8782b10093675beb19c8d9123797054f0629dca1248bf0b9f14a9c68f30121d47

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
74KB

MD5
a59956f36560cdd9118af367f754cdb1

SHA1
71f42d6efbb087ce8c7de98c3ffe90952b20e784

SHA256
be0cf3e66a916a855ce1a97e4889455f38109d612dce322d438b4265dc705bd7

SHA512
d46d2ad4d12b17ad54e71ba6b04152b79ae218c58b395f5d4bcf458351cbccd54cec9982271db3fdbb97ff39189ea33a91bcc77ad1497335091ea2e1c2cf3913

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
74KB

MD5
cb8903f5967188715f5089dd05b2d4d8

SHA1
2f7d8b81c7b75b19e62d125cb83469074d17bd18

SHA256
8b13f32d575bd00be28527c98ac7706f8c6400e5f5a9fcfadaaf67370cd64cf8

SHA512
ae5ddb5d39e2fc2d7226c9f3d5be5a8d24f459091f5d4908ebd322102cf4f748934a0e2c3e80b0617bf85e9f79030140e94c6d1c7ffd3cdefcc2cea515002e3f

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
74KB

MD5
26cbbce5fc6b58e77a553772a3f2aba9

SHA1
3b8fbfb96db1c877df2b16a506216022f4cfad07

SHA256
660756aa89cfb8f9f949e1f2694af234ac684b2459635560512774387f0ad4f0

SHA512
57999e1e03ca710c669b9e0ef0f52ba034e1f24e049e6056a1c7a73e0a7699c90406f7815498e8ba0c72f64629d0e1df02c031133ae335cd1dd652a7b6223fb7

Download Submit
C:\Windows\SysWOW64\Ndkqipob.dll

Filesize
7KB

MD5
3a45ebfafb5007b4545c8bb15e0d9af6

SHA1
5b43227480cdef82e6dfc760b63bb417b82d5cce

SHA256
455f59b70d0bbf97515fc3ed7e6c0c7e74ff240d44dcaacf36da3b80c707b068

SHA512
519ea0bb7caf6e6f0ce49529ba81cb6dddf71ec6b6b980a3ac35a5d964c7a30f2e9c4a1bdd1667cc04117446a34e51dd33145f3392ab680a3a1894b830c34057

Download Submit
memory/60-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/60-282-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/544-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/552-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/552-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/584-263-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/584-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1000-265-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1000-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1056-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1056-267-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1100-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1100-276-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1200-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1200-271-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-283-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-284-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2172-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2864-288-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2864-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-264-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3172-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3172-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3220-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3220-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3316-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3316-277-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3492-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3492-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3600-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3600-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3660-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3660-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3716-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3716-275-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3988-290-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3988-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4188-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4188-273-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4220-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4324-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4324-266-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-289-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-291-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4540-279-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4540-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4616-278-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4616-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4708-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4708-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-269-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads