berbew | b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Size

80KB
MD5

80c14a722431add1bf4af20c5eed6d60
SHA1

8287643872eb3f86dd5266af3ee1bbb7d17886c6
SHA256

b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533
SHA512

260607d6b7580738501e9ccc26c0d2d275758e6cecbda694dc976eb1c4ed363a35b2f44da3080eef0b045e433b889f9f8641b242f1125d6f4b4a682de33f4385
SSDEEP

1536:ret8j4M7vVt7BUT00VG6Bs7E/Ws2LUCYrum8SPG2:KgNvDBUTtGGs7TUVT8SL

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
2628	Bfhhoi32.exe
1084	Bmbplc32.exe
1180	Bclhhnca.exe
4636	Bjfaeh32.exe
4420	Bapiabak.exe
3688	Cfmajipb.exe
3540	Cmgjgcgo.exe
4672	Chmndlge.exe
1972	Cfpnph32.exe
3404	Caebma32.exe
4812	Cdcoim32.exe
3172	Cnicfe32.exe
1480	Chagok32.exe
4556	Cnkplejl.exe
4248	Ceehho32.exe
1568	Cffdpghg.exe
220	Cmqmma32.exe
3472	Ddjejl32.exe
228	Dfiafg32.exe
2196	Dejacond.exe
916	Dfknkg32.exe
936	Delnin32.exe
1620	Daconoae.exe
3268	Dkkcge32.exe
1460	Dmjocp32.exe
2668	Dgbdlf32.exe
4896	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	4896	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2628	3396	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe	83
PID 3396 wrote to memory of 2628	3396	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe	83
PID 3396 wrote to memory of 2628	3396	b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe	83
PID 2628 wrote to memory of 1084	2628	Bfhhoi32.exe	84
PID 2628 wrote to memory of 1084	2628	Bfhhoi32.exe	84
PID 2628 wrote to memory of 1084	2628	Bfhhoi32.exe	84
PID 1084 wrote to memory of 1180	1084	Bmbplc32.exe	85
PID 1084 wrote to memory of 1180	1084	Bmbplc32.exe	85
PID 1084 wrote to memory of 1180	1084	Bmbplc32.exe	85
PID 1180 wrote to memory of 4636	1180	Bclhhnca.exe	86
PID 1180 wrote to memory of 4636	1180	Bclhhnca.exe	86
PID 1180 wrote to memory of 4636	1180	Bclhhnca.exe	86
PID 4636 wrote to memory of 4420	4636	Bjfaeh32.exe	87
PID 4636 wrote to memory of 4420	4636	Bjfaeh32.exe	87
PID 4636 wrote to memory of 4420	4636	Bjfaeh32.exe	87
PID 4420 wrote to memory of 3688	4420	Bapiabak.exe	88
PID 4420 wrote to memory of 3688	4420	Bapiabak.exe	88
PID 4420 wrote to memory of 3688	4420	Bapiabak.exe	88
PID 3688 wrote to memory of 3540	3688	Cfmajipb.exe	89
PID 3688 wrote to memory of 3540	3688	Cfmajipb.exe	89
PID 3688 wrote to memory of 3540	3688	Cfmajipb.exe	89
PID 3540 wrote to memory of 4672	3540	Cmgjgcgo.exe	90
PID 3540 wrote to memory of 4672	3540	Cmgjgcgo.exe	90
PID 3540 wrote to memory of 4672	3540	Cmgjgcgo.exe	90
PID 4672 wrote to memory of 1972	4672	Chmndlge.exe	91
PID 4672 wrote to memory of 1972	4672	Chmndlge.exe	91
PID 4672 wrote to memory of 1972	4672	Chmndlge.exe	91
PID 1972 wrote to memory of 3404	1972	Cfpnph32.exe	92
PID 1972 wrote to memory of 3404	1972	Cfpnph32.exe	92
PID 1972 wrote to memory of 3404	1972	Cfpnph32.exe	92
PID 3404 wrote to memory of 4812	3404	Caebma32.exe	93
PID 3404 wrote to memory of 4812	3404	Caebma32.exe	93
PID 3404 wrote to memory of 4812	3404	Caebma32.exe	93
PID 4812 wrote to memory of 3172	4812	Cdcoim32.exe	94
PID 4812 wrote to memory of 3172	4812	Cdcoim32.exe	94
PID 4812 wrote to memory of 3172	4812	Cdcoim32.exe	94
PID 3172 wrote to memory of 1480	3172	Cnicfe32.exe	95
PID 3172 wrote to memory of 1480	3172	Cnicfe32.exe	95
PID 3172 wrote to memory of 1480	3172	Cnicfe32.exe	95
PID 1480 wrote to memory of 4556	1480	Chagok32.exe	96
PID 1480 wrote to memory of 4556	1480	Chagok32.exe	96
PID 1480 wrote to memory of 4556	1480	Chagok32.exe	96
PID 4556 wrote to memory of 4248	4556	Cnkplejl.exe	97
PID 4556 wrote to memory of 4248	4556	Cnkplejl.exe	97
PID 4556 wrote to memory of 4248	4556	Cnkplejl.exe	97
PID 4248 wrote to memory of 1568	4248	Ceehho32.exe	98
PID 4248 wrote to memory of 1568	4248	Ceehho32.exe	98
PID 4248 wrote to memory of 1568	4248	Ceehho32.exe	98
PID 1568 wrote to memory of 220	1568	Cffdpghg.exe	99
PID 1568 wrote to memory of 220	1568	Cffdpghg.exe	99
PID 1568 wrote to memory of 220	1568	Cffdpghg.exe	99
PID 220 wrote to memory of 3472	220	Cmqmma32.exe	100
PID 220 wrote to memory of 3472	220	Cmqmma32.exe	100
PID 220 wrote to memory of 3472	220	Cmqmma32.exe	100
PID 3472 wrote to memory of 228	3472	Ddjejl32.exe	101
PID 3472 wrote to memory of 228	3472	Ddjejl32.exe	101
PID 3472 wrote to memory of 228	3472	Ddjejl32.exe	101
PID 228 wrote to memory of 2196	228	Dfiafg32.exe	102
PID 228 wrote to memory of 2196	228	Dfiafg32.exe	102
PID 228 wrote to memory of 2196	228	Dfiafg32.exe	102
PID 2196 wrote to memory of 916	2196	Dejacond.exe	103
PID 2196 wrote to memory of 916	2196	Dejacond.exe	103
PID 2196 wrote to memory of 916	2196	Dejacond.exe	103
PID 916 wrote to memory of 936	916	Dfknkg32.exe	104

C:\Users\Admin\AppData\Local\Temp\b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe
"C:\Users\Admin\AppData\Local\Temp\b2b5ea828b0082b2b234a54595749aea781e027e9ac266f7c16336c1e93ad533N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\Bfhhoi32.exe
  C:\Windows\system32\Bfhhoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\Bmbplc32.exe
    C:\Windows\system32\Bmbplc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\Bclhhnca.exe
      C:\Windows\system32\Bclhhnca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 404
        29⤵
        Program crash
        
        PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4896 -ip 4896
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
80KB

MD5
3cddfdfa5d7fad6e8940e08c79c0d2a8

SHA1
a840a1d4c10ecb22eda6fc904dbdecbafd5ee234

SHA256
a59c386286ab8249a8061ca2cf1419a0996f0cd0e8d1bd1e0d02594e597fcf60

SHA512
160e2db797eefd5a9fc97f874a6da86c7e3b47ebab6f963454b08a415c0b35a6d60e24339d66b34466b4d6ba7ad38595e81c7d734b07646318efb0409b639da6

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
80KB

MD5
70f6a4664444e886d0b50f6a9d2507e4

SHA1
83b4ad77c37fbc8cc71add4d63c482907771aac1

SHA256
c2b7d8de80bf4a0ab83a0a1964581bdd3eccd2d7807cbb93a918a2c794292975

SHA512
ad7e73ccd8569c9492270a2cb7a6ff59ce3e050055f18b081877ef59ffe17c0fa7fef4964b71e3760e23028350a481b00fd70ab35f0f6ea36c1f416239890bed

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
ebd30375ed57c89fa7a9494c8f661684

SHA1
74c210b22cf4d10c29579c91bc555ab7962bd74f

SHA256
5cc99612c0199596899353e08b517f4cd4fa16801d3935d13052926a40ec23d0

SHA512
e1bf81ce8c1863e6adb2dc1a71003ba4b3105e88a4929a9efbcd043416d08960a895d2e6faea18e50a46b51dfa8614522b3590feb75d60ca70f7be7bd3d1ee42

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
80KB

MD5
f362026b45d697743244e7011b435f98

SHA1
23face688e226fb51719106e68290d26bc85c6cc

SHA256
05ea479b9b1812f2141c81efaf7ce1493a420fb6c452e94e5114a92d98312297

SHA512
34c68e71056de8ea91c0376335d7609084fe5fe2668beacdb0cab35d81be2051a28dbd85415a673a1b27ea9e8b8f8cd497a1327a272f6694452ed8eec7211b06

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
80KB

MD5
5f2102c4509732300f3ba9e1b3875411

SHA1
fcb878edc31d3da4da37827b465344e14a2d7bf7

SHA256
cca5fdfc499720e7f2e4fe1a30f60af93cb78d978e204d48575e50d9536d9d6f

SHA512
05a1d5d29ea3139f8d312907f397ff94a7771161e0f817537e5ff37882739401fdba17ac13c2196f2c000e2290a1af9cd87bd99b82e8ed42f343f1d769e864b1

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
80KB

MD5
903399351519de5e54bd70efa24663bb

SHA1
89df05543c4d37dff8b79ffd58adf45a98fa7353

SHA256
129e51968e60442e719f57a638258a86b223814365fb87c0f03ff560842bf06e

SHA512
e7f71586d8d74e6cf2552eea6995276c87e1c083298226e3f2b88ac23c10da28aa93c55fbe3143bbdf3c2850c008807c491826cffed811bd02259e235fc0021f

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
80KB

MD5
e6a2fda87b14ee7eb79b212e43b5b16e

SHA1
db6582831fb0d4d67e957c00ee0f4f689ec3a900

SHA256
b49a28957e59b4f93e2371e5808ad49707ff250315dee43f057d405663c818c6

SHA512
c93f8e230bf66f88bbbed4c4625112732166ea069e56e755e36fe69fe34a3831bd65531beabfa9bc6f0d00705bf17319608a0c0de8468d8d2c375b1233407513

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
80KB

MD5
19cefe2375bf97a23495bf223c002f6a

SHA1
bceee6e94b8fa5d7378dee4c9fd283f67265361d

SHA256
a646c7e36a286e8738504314c00453ba1b3852e8adca4bbc8985f8aee139e5e5

SHA512
c94ecbc75cb8135374e51d805a8d0aa1a2cfe3417852a86351b02e61896a36c866b26d70731bb39e9e006244ab23cc20fcfabd4dcea8fd55e398a75977689792

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
80KB

MD5
8c7dad849512993d1dd36efb971bbc4a

SHA1
21494aea6b6b0a4428c04d965f791521f359dc5d

SHA256
6b016b293401bac69a6003680d96572f6152693c58257695dff9899a88dc0b58

SHA512
4cb7269788f101ac24d52c7d43fde029b59b0e18019ec17a7717b86ee260c03c0bee76add0b679726c523ecd3850665c6906bb1d0234a3c4dc1d965988bb9611

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
853cb03f404740ce10e915f4185da9c3

SHA1
feaab3217d788cbddca3aa0e60ee7ee63696a199

SHA256
5cb66277673e7d9f36eac4f39f6d4ac93b902e13396e9c79bf91778e85092b6e

SHA512
739cd31bb6dbcaba75896d2ca8540a622f7a0772e4a6bd7bdc579a33724b6a457425e74f03f8c6a583bf7cdeee535b11244df92a4b17c5250bb2f2aa4589f090

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
80KB

MD5
535c95d696100d70fb372ffd1eb3e66e

SHA1
9efa06d81690e0bf7a0a818b0b1d9a88f2d351b2

SHA256
4dbfe4bdaa0482ed8494c34c935352ac4ac2e147e88c93eadd89042c4762834b

SHA512
00ad3dbfd66f5d6c66731e5f6ad3de48383f2b53131e0250fcde257d6efda3be2b0f8c7fd45ef98f705570cce598c9e5b2e3352a500e10cf5f8ec018a9510884

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
80KB

MD5
08a39eb7a76b2ac77619089fbd209f30

SHA1
795460cfeb5de043f86a222498a0702dce34821a

SHA256
6666baa0e119aab1cf6aeb7ebb81184fa8853acf71389f601ec3a06b97fb4f96

SHA512
9c280bcf52849557fcc804c8f8f1f2ec5134f6e3b7d229cb58078deaa31d4a58c59e0039797d2788b30727fa5f1145f8ae6c9a19531f03294577b7154f4ad996

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
2a9bc629a537bf0e6f3b03a38943f6fd

SHA1
da2ed01d88caa5555e56687baf7df0a9d74ff664

SHA256
8523e24271e7fef37aab928f49206a62edd17af644d8feb349ca7e05811e7067

SHA512
6b565bf97c96955d9d2e2ea69d410ee261ce47d58c99139e4582f527e1197ea3a2f0803cb59485d4b551c944a63ac7978775bd57a27848d314542e60fba56b74

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
80KB

MD5
d9d420d91c4de0157d419e32f78a3973

SHA1
1381afc45598561b83462a7a88732ce98ca87e1d

SHA256
ce9c80fec368c320fe04d495fb0ba0d533e4424eab3156739beb03dad89078e4

SHA512
c8b658a6ee430ee43b5121751f649d03678336f3858e86a9d92fc17f3c34643e8eb35ba75f44392ae81c573e90d7d8e2bcb9963a76db17a036978c9b000172a3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
805939036bd3260dc20b73145bf02693

SHA1
91ecbe8b21f9c392365508f461e511e349d2195d

SHA256
0f0f25d0c4afd7b736599cbc84ab882735c4c5ae8fa06a5def43a40f112322ee

SHA512
31bbb9d34b9facf42f7b53f4cbab5664bcd864b583ebc8eccd3443569dd590b1c85b9ce5f592baf3cce82e23db605fa5a7a1e6e35c2498c39724efe908d787e6

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
80KB

MD5
84cef0ebdfaaa86977c74652c79919d8

SHA1
d4334898974770c00a3dc34dc6723d46a177b376

SHA256
12a75b52a7bddeb8ab73129212e7ceb5f508f1dd46dd0a280eca37ce60838fca

SHA512
5ca1c9946d52de03f88ea2371292b37868f2d1ec5e8f90416ad03eab10c61d6cce77affc14dcd32213c58a7cb5dd789939a461a11f121b354d7710ea2220c40c

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
362426f1857a93224e1829726ae58249

SHA1
1ed46d961772cd3957b66c42cf845a3068c07bb1

SHA256
506881d1e4e7ffcc5f57df460032b4a971b810d24cdb1664e389940a1ca7d61b

SHA512
4d683afa6f06d01625cea6027bace4f6a655d255c552947e01905533b72933bca0dba855cfe3df7a265c8525297b07f2a637b0f8290e1dd24cb33b5072909ebc

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
80KB

MD5
48d5d5516188df621ff836411ed230d2

SHA1
bbb929ec39573f406faee38fbadec27b60ca1675

SHA256
6bf6560e70ee948c64c6472dbb7209c445fdcec2abbf9215ae8ea63d61e48b2e

SHA512
5451a82b8c6bad88a7bfeff0b1f045214e221d7ac4125c8b9c27977bbd15e8d99968e3e0f879950c4810f81703b0be331a18e80cc9f302b57ad634833d98afc0

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
bd3eec9784449fbf26e4ba666bdc99d9

SHA1
33e17c0922764af9a84d104d34dc0cadc80dc42b

SHA256
97d1386c9ae9ac66158b9fe2b927af9eb28b0acb3b496d4b755eaf0b94b4ce85

SHA512
eb01ef14c495bf8db82e5ada6a0702cb9fc75df75e7e361aa953e4ba80d61fe90f69a8f7225c4c08e861314c24a0c5bfcc1873f036aee10ce3959bb304ed1372

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
80KB

MD5
371292c000db1526a88f90bf49af6906

SHA1
55b5133ef92dd8040098d37c56462ba1e9ce6b49

SHA256
4d17334f029441b350e433d3d3c655613d473f1c7a6504d555f5656737995c73

SHA512
42404ec47ac8518e7439beb3bf4c461a36e130a56a5719cf3acc1f8abd1cf8d7240ec0d615ac5a8689dc981ed0146494d3a33c86c4eff47d5ef49d692bb95afd

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
80KB

MD5
a71c1ce76cbeb6b6ffbc4834c92c1c00

SHA1
0a099cb7c2117eaade293a6307df412401e9af50

SHA256
6ecbd5747f2daa9be3a80030f8f6f7d8f29ae2328a26b2d4898b609d9c65d7c8

SHA512
7bd7385a6f06c545a929d767fb17f7152faa92339bbf2cadfa88d7e240a0a24495bc532aba08e02e3e11762fb1cc333f3576bc8ce838f78c899524186d1714c1

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
80KB

MD5
0e0f67ee29c426c8906c5226c78f1f96

SHA1
a0aaa09165eaf0360713a38eeb2e492b47c6f33f

SHA256
8226d5a95ec3e5ad1b718eedbae90c3e21392db4eb86b6131b8b9b0cb541a0f9

SHA512
c1ade91f4033add62cb6d5df9197026926ffc67a77b425fd6de47600e88cd3bb8ed24c990c34111ff4ebde4de992d2b441700d0c2938b0eb63fa4dff348a920b

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
80KB

MD5
7aa6443950bb07900a700d81542a61c7

SHA1
b4cc645ab1a717f37a190098851858a55558cd08

SHA256
8afb930ce3b06d1194a3bbc2ca7d5a65535569be456f5cdae3c4ae433710b6d6

SHA512
8118e0583173db34a1c1752ed328cf9403da3757294930458eebe4bb9deaf49284e87acc4f55140b2e8aceaecc48a841b98043904eae8c83e7583e6d7ff844ff

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
80KB

MD5
636e34c05e6cc2bede7ff99eb6eaca6d

SHA1
3170a1e38d91f3129dbdc8b9a1f3ad2d3b4c7b3a

SHA256
514c9ae80b4b2cd5594643a8749c5a60e18187d51e2b05e11b7a64ff3990e508

SHA512
5e9620394a35f9c5bf8cd29aac0eb605860cab7b15e66b625f340c22ad343320eeb27707892cc4b795478b4860b602a51daa3642980a9d6ee09a017eba148575

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
80KB

MD5
17d9ebe299467e8cee4911d723529421

SHA1
c793cb0332a6a3d15431447e4e103b4545163ffb

SHA256
6603920b4d53b9781ecc4e3dbaf5f0f39038b2dbe2db069622f3d7c80888aabf

SHA512
4e4fbc196309fa1a7ec80ca61f8f1f983fbe8246fc02fb4e2f68f69e7f2cbc87f50a018e6754352c0643243b85273fbaf6546d8aee0496d36c074c87ad163270

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
80KB

MD5
535732ba85cf3701aed84b9cb8e135ec

SHA1
26e0c9f9fe53380d7425065c5cfcf7bcc5796be5

SHA256
6be6ecbfae7178b5610869f2e4e69ef902c3b4a883634428b9c0749a0397d626

SHA512
4ea0422fa37819a3a1eb67f7e56592a8c869be5d613e8a789d8806907ecc193675af00318c8760080e99468c02d65305e1fe60d4dadee1c8684ff903202aa081

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
7aea418bc1f527a4e17f771a984811cd

SHA1
1766795fdcc34ca0923abb16d19a586a7c136f09

SHA256
a5390e28d6da255d07b423fd23c1bee71a09428ddfa2763f018feefb8b026e43

SHA512
ed90070e4b4c642b4bf6509e56aea5bb5f03d29d814143662116f54ab463b463b07efb982243a67ea86dc8e41c2cccfd87edc7de2d21c5ae7a129166ca086476

Download Submit
memory/220-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3404-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads