berbew | 1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04

Analysis

max time kernel
94s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Size

448KB
MD5

c8e5586f1f624a4a8c62d6407d6e87b8
SHA1

380a4ac41237037fb0dcf04c2fb95fb60223e32e
SHA256

1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04
SHA512

3c2ad414e897f7bc32eea8fd811b10eef2a5e92e3499e3b898b01300da4e1406c563886074981c8590ab2d0b6c588675433c9fd02a457f374d19540072169126
SSDEEP

12288:ZKWPM4tTqDrkY660fIaDZkY660f8jTK/h:4uZ4gsaDZgQjGh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
4276	Bmbplc32.exe
4544	Beihma32.exe
2516	Bhhdil32.exe
2316	Bjfaeh32.exe
3556	Bmemac32.exe
956	Cjinkg32.exe
4816	Cfpnph32.exe
1028	Cnffqf32.exe
1308	Caebma32.exe
2552	Chokikeb.exe
1824	Cjmgfgdf.exe
3160	Cnkplejl.exe
4660	Cffdpghg.exe
4092	Cnnlaehj.exe
3044	Dhfajjoj.exe
3900	Dopigd32.exe
528	Dejacond.exe
4480	Dhhnpjmh.exe
4452	Dobfld32.exe
2172	Daqbip32.exe
2464	Ddonekbl.exe
4024	Dfnjafap.exe
2960	Daconoae.exe
4824	Ddakjkqi.exe
2544	Daekdooc.exe
3640	Deagdn32.exe
4652	Dgbdlf32.exe
5084	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe

Program crash 1 IoCs

pid	pid_target	Process
4772	5084	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4276	2012	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe	83
PID 2012 wrote to memory of 4276	2012	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe	83
PID 2012 wrote to memory of 4276	2012	1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe	83
PID 4276 wrote to memory of 4544	4276	Bmbplc32.exe	84
PID 4276 wrote to memory of 4544	4276	Bmbplc32.exe	84
PID 4276 wrote to memory of 4544	4276	Bmbplc32.exe	84
PID 4544 wrote to memory of 2516	4544	Beihma32.exe	85
PID 4544 wrote to memory of 2516	4544	Beihma32.exe	85
PID 4544 wrote to memory of 2516	4544	Beihma32.exe	85
PID 2516 wrote to memory of 2316	2516	Bhhdil32.exe	86
PID 2516 wrote to memory of 2316	2516	Bhhdil32.exe	86
PID 2516 wrote to memory of 2316	2516	Bhhdil32.exe	86
PID 2316 wrote to memory of 3556	2316	Bjfaeh32.exe	87
PID 2316 wrote to memory of 3556	2316	Bjfaeh32.exe	87
PID 2316 wrote to memory of 3556	2316	Bjfaeh32.exe	87
PID 3556 wrote to memory of 956	3556	Bmemac32.exe	88
PID 3556 wrote to memory of 956	3556	Bmemac32.exe	88
PID 3556 wrote to memory of 956	3556	Bmemac32.exe	88
PID 956 wrote to memory of 4816	956	Cjinkg32.exe	89
PID 956 wrote to memory of 4816	956	Cjinkg32.exe	89
PID 956 wrote to memory of 4816	956	Cjinkg32.exe	89
PID 4816 wrote to memory of 1028	4816	Cfpnph32.exe	90
PID 4816 wrote to memory of 1028	4816	Cfpnph32.exe	90
PID 4816 wrote to memory of 1028	4816	Cfpnph32.exe	90
PID 1028 wrote to memory of 1308	1028	Cnffqf32.exe	91
PID 1028 wrote to memory of 1308	1028	Cnffqf32.exe	91
PID 1028 wrote to memory of 1308	1028	Cnffqf32.exe	91
PID 1308 wrote to memory of 2552	1308	Caebma32.exe	92
PID 1308 wrote to memory of 2552	1308	Caebma32.exe	92
PID 1308 wrote to memory of 2552	1308	Caebma32.exe	92
PID 2552 wrote to memory of 1824	2552	Chokikeb.exe	93
PID 2552 wrote to memory of 1824	2552	Chokikeb.exe	93
PID 2552 wrote to memory of 1824	2552	Chokikeb.exe	93
PID 1824 wrote to memory of 3160	1824	Cjmgfgdf.exe	94
PID 1824 wrote to memory of 3160	1824	Cjmgfgdf.exe	94
PID 1824 wrote to memory of 3160	1824	Cjmgfgdf.exe	94
PID 3160 wrote to memory of 4660	3160	Cnkplejl.exe	95
PID 3160 wrote to memory of 4660	3160	Cnkplejl.exe	95
PID 3160 wrote to memory of 4660	3160	Cnkplejl.exe	95
PID 4660 wrote to memory of 4092	4660	Cffdpghg.exe	96
PID 4660 wrote to memory of 4092	4660	Cffdpghg.exe	96
PID 4660 wrote to memory of 4092	4660	Cffdpghg.exe	96
PID 4092 wrote to memory of 3044	4092	Cnnlaehj.exe	97
PID 4092 wrote to memory of 3044	4092	Cnnlaehj.exe	97
PID 4092 wrote to memory of 3044	4092	Cnnlaehj.exe	97
PID 3044 wrote to memory of 3900	3044	Dhfajjoj.exe	98
PID 3044 wrote to memory of 3900	3044	Dhfajjoj.exe	98
PID 3044 wrote to memory of 3900	3044	Dhfajjoj.exe	98
PID 3900 wrote to memory of 528	3900	Dopigd32.exe	99
PID 3900 wrote to memory of 528	3900	Dopigd32.exe	99
PID 3900 wrote to memory of 528	3900	Dopigd32.exe	99
PID 528 wrote to memory of 4480	528	Dejacond.exe	100
PID 528 wrote to memory of 4480	528	Dejacond.exe	100
PID 528 wrote to memory of 4480	528	Dejacond.exe	100
PID 4480 wrote to memory of 4452	4480	Dhhnpjmh.exe	101
PID 4480 wrote to memory of 4452	4480	Dhhnpjmh.exe	101
PID 4480 wrote to memory of 4452	4480	Dhhnpjmh.exe	101
PID 4452 wrote to memory of 2172	4452	Dobfld32.exe	102
PID 4452 wrote to memory of 2172	4452	Dobfld32.exe	102
PID 4452 wrote to memory of 2172	4452	Dobfld32.exe	102
PID 2172 wrote to memory of 2464	2172	Daqbip32.exe	103
PID 2172 wrote to memory of 2464	2172	Daqbip32.exe	103
PID 2172 wrote to memory of 2464	2172	Daqbip32.exe	103
PID 2464 wrote to memory of 4024	2464	Ddonekbl.exe	104

C:\Users\Admin\AppData\Local\Temp\1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe
"C:\Users\Admin\AppData\Local\Temp\1d9f2c95626c3bf00ba2c5ca8158e81a731b888ee077c74614c076f90c972a04.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\Bhhdil32.exe
      C:\Windows\system32\Bhhdil32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 408
        30⤵
        Program crash
        
        PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5084 -ip 5084
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
448KB

MD5
f50425d888e6890f72a49a98c4c7e33c

SHA1
bf8ae05967ad18e914868a35f99b8b392dfbd1ac

SHA256
93f8e0822fa148feeed0cb5f4c04b79bafbc64429fc5f23352d83306a29f4335

SHA512
fc1d41a7271bc095055d27a0756268bf5d37709b65c79467fb9881edfdcc41d9a8f21cf65a827004cf0478a1ba4c0d26db87769e0061237ca9379b8072b50dda

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
448KB

MD5
e7985b6dba5e402b6e2217d6b1b62785

SHA1
99100c3492ce6db6c32cf6053ef9f13877283c69

SHA256
30fe09bed4ac84e716b53b41984b0f79d0769b27540a0543bf7e860560f3f03f

SHA512
30cd698db6d342bca491b52d0f9c945abb384d711365cdb5958d19bbfb966f5ef298b5b7c31caed0f3b7c58e1ca51f893423636cbd85cc71e7cf5958a95d018e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
448KB

MD5
4cf731f055b98e176e4a7fd279f0b6b9

SHA1
0efe68f35f2da62be38b92f5a74b08f4a2862b79

SHA256
9499fe8a84ec820eb7f56c03a436c0eeb639a089c9c6321f0c78b569d135dd3b

SHA512
4c3e341e87355502371b81ed41d45f92a9b5fe8ece9e36bff2200c9f8ca385e44f10e4bf3d3993ec38cae2a58b4fadac01d9c9c33627856469751ae0eb1f5e1a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
448KB

MD5
0adaad5e9734aeed36e68124979189b5

SHA1
416ab337301f0c62131aff57d9e4b52631852f0e

SHA256
506fffa8ed4cdca357c2b09610c2d9343c8a075381650598566c34b961dfad96

SHA512
019bde8841b93d2052b4d19f09b401d5d3f0e397f54d2ce854e7ff43e779f2734676bfcfb6a0098e8beb71d75e6724bd190fd3d4775a1fb4f92f4b83ddaab232

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
448KB

MD5
d0f59fdd094887eacde1c84356723ff8

SHA1
477449013ce20586c48d9c6a5236682bb273d935

SHA256
4e58f571ae60848ef515228c27c6b2363bdf159a7b41fbcfde8a93a302a25fb3

SHA512
69df65ae9cb974c12797b0b80dd6d9a5cbe5a3707d0d9751f5874ae93c93b5e9f8f4254fe14da221e06c678fc4a795a646d0269365924d05d87928b95b708a79

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
448KB

MD5
3b6870bcff0cb2472625a3defbcb5907

SHA1
489679bc4b283223bb40b082e2149c468596a762

SHA256
2e35e1b8d4d453b94ddb0a65cff0c34dd1f43397b2f4353a003689b64b6eab50

SHA512
50d43f6d3913710cf00c026d080af9297f5849b98c5292d142fb5455e02c5ed409033e674b21799579ea83384d0a33131dc7ae788135ea4aba42b32104c76dec

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
448KB

MD5
4497af54d88e6f214b6fe1097fff799f

SHA1
f7699fd419907ad543d4f017e7a266549f5d343c

SHA256
ff8c82fb55e65be1b4026558d849dfac6423879acf38e8e2ff32bd887542bee6

SHA512
3be30cf1b5e97782d95c97c7c23d913217b191272b76de81444aede7f18f1829a2e021bcd8f5e04f35baf1029901501fac41426c1e427afbc4730b719b45975b

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
448KB

MD5
237237d548577b7609c86ceebfec4037

SHA1
38b8460274d890a9f63d085e2d6571b7ad570ebf

SHA256
37072615fb36828bbd6807c679478ea538869ef37b1642ad201997b00f308a20

SHA512
94626ccddf503c14feabb0b1bcb74fea3302b2fe0d36f8684990670a6371fa1be380c33ced618d6a1ce6a3d635d5df7c31182340f0bff4c9f08114c42397ea50

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
448KB

MD5
c129334f34a54c6cbce8d7370ac88a68

SHA1
ac25e1820b19735b774d3c2fcd8a2398a48e8bce

SHA256
960a69e44d37623a1335dcee91d93985c55e46e1f466df5e17727845d48408c4

SHA512
7512c5cd54e71dc82b6218c937e1c42e64999a57f9624466b914370fa00cc538d44b5315259e5bf1948e2b48e0eb72721fd0d1ff5fecbe18d6d52fc68d566676

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
448KB

MD5
7d83e6734f04a1392c05ccf145b3394e

SHA1
8a866bea3942deb21de3622d07e7b04103023976

SHA256
04b3f75512970b3da1b39bf33e054d98063a217f8887ea397eb799c468796b96

SHA512
83cfda4116439cb54b8d59fc62dfabb141dd138cb18f70b6133144a078a85b7d83aa0f8b33a0f0ec66841e6a74e9d7aa40f93f8d31aae887514aa6a46c0d2726

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
448KB

MD5
8dcaafc9d0ae5cd0fbafc18d05a0ddfc

SHA1
1d4cb8099c867853280bfd96243507f8aa1f9c5d

SHA256
b70be498b8c852c5bc46fd438718d9f3934fcbae0e641b428c7ccbae9d333323

SHA512
6f75062a0b6b3d7888aca437cd04123c6f4a9437964c5bd34c05351efb7dca1d6ce5846e8b6fb01d109cf9df8594848da3172e651bde814eceef15fe9bba03ef

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
448KB

MD5
107a8ad6e328598a4622f8ee3860f6cb

SHA1
acc6bdb8fa16c2163255002309e61aac6ed929f2

SHA256
9b5759d2a4ec2dec0c52479e7dcde068e9c9f687782f54762b33c0c8152f1705

SHA512
9e48a5372f5186f3a6d0de88855318f9667860c57c9e374f06348b4bf27de981a6bfe2fc1b6dc8eed88c90b12567c0fa63ea38551f7984abc7e547e3d7983e3d

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
448KB

MD5
c2d203382da61a50bab75042ae80961c

SHA1
23d0509529d6ed3b1b698ae3c47861f7f9543c4b

SHA256
280637f67db690527dc453e0792e55308729a0301efb186d79c9ed31dbd885d0

SHA512
201a9666af6dfcc1c7502fe9ca018d55b4ba716338ea29be0ccdbe5adbba43b3cb51be8d54baba1335a7428c33fa31f84ef4e5ee0fd7a8877e2857106d788871

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
448KB

MD5
22d69a54a64d6795f859fd2eb3b6582f

SHA1
e2d3a7a0746876feea80c9e14c32cb3c2a8cc8f9

SHA256
e7147d3caeaa182054303f3414e7e3ef55419215ef056494d44179b066321f4c

SHA512
878eaa0cd09012e30f4d9d2aa39294348b7ba66b9dae836dcc258cb9d64c42011dfb9f70564becb730abfeaa2ff6cb4507b67956cc4b0b6687e91dd0b5f3b2a3

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
448KB

MD5
3a93ce7a5844da53a987c6f38006c7f8

SHA1
b762341fe97c424e3cb5c3a66a1c29500eea2891

SHA256
7cf1330268a87742fac2e40a604b0d59c1eb75cbd29380a24a2141c4ec4475ce

SHA512
107dd929f12debe6c00e5c632ee85b0f6edcfab028505b1b5ab5157c0710ad763f400aef4c95b1fe4c75be1f7fdd302bfee32530ad4b61913b5d1a16420fb897

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
448KB

MD5
1cd5d63496756fa879030fb2a5171653

SHA1
26442b27aa5afb7e1121b92fdddb6d935078df35

SHA256
da9277ac0ef5679b82ca9f0bcb5a9b196a83e792056b3047568a7bb5e3ec5a01

SHA512
0ea4d13ac27aa66f7de52771c63082a46fe9f440fcb2739ac91a3153130d788175549913db2e9e306f9393c533f66610d88dfb7419f22c2d75f3547d6f365519

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
448KB

MD5
6da300cf3f68adf7ce8fc30da933bbdd

SHA1
1f3339771274ebca470763f217a2698beb376114

SHA256
8185ccb9be49b2d4acd748f2363af49cd43f373555dc8b1f9ba302abc14f727a

SHA512
3553a44fd71b69deb8ba364e9c9d5a95ad1f81aad3ebc269b47c1441d048063108f8da36336a94a5972227c3bc7fd28e87834db0431ac56938824a88800a9564

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
448KB

MD5
15748b0b5655a26e3202b8becef9aa09

SHA1
50d6ec9ff81f18463da8890913d4d393dca84f77

SHA256
94ae87b430f846cb3094f78405c5d5c4ea9ed615ccf16bec0ae8ce7453afb67e

SHA512
7e1850e420ec1d59dab0eadae0f8f09b7896f32bd119d3c975106f175dcb0e09b5f5f4f3d8a44be9809dc1f919dbe26f2df49633abb9843a7adfb27b06bee32c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
448KB

MD5
a13d051753e2c05a907227388952cd51

SHA1
96155a8a28191173e96e93bea57857b74ff6f888

SHA256
f5c2dbe76c338d7bda506193e5bff5f746e354f0be97cedd9b30ddacafcb8e33

SHA512
185b02ee44a71d905eae1fe33022d4b7718f75f97c8954ab2a64a18bc58d03c36c3934f499db7b659632bd0b1d1d9ae28efb123506c725be5ec5d14587c520e9

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
448KB

MD5
2fac00b25c4842d4e7287c7a0f5684c4

SHA1
9324388c6fa2a523add0a5c37a7d704eeca3deb2

SHA256
cf58124492d521f3c0d456e2640ed6b09b2db861d794aaa45fd85275d883c698

SHA512
9d0e362320c62a97c29bc319bd8e1707c22889d2ad39785afa11c9a31701101766d0983274df39bf1e72b457213d1785b440615068d2073e7e349c04b489353b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
448KB

MD5
0dba1ba534869746d6b885ed90793e45

SHA1
f3a3416d3899630dd51d7f199949efcb6b8f624a

SHA256
685a9f88fd270d0b86187e1a208eedb63bbc158e9fa7d14c050facd52bd5a290

SHA512
728e00fcef792db864ddfd51a68a7a272e1f924008bcf376ed8a403e18c3f6c85802de90a9054282b17a4d15e55259161686013610b3f0c5078a150ad1366a8c

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
448KB

MD5
a75ca968500b7eb954544e76767f2a72

SHA1
a6f15c0a956702492135a37ef1ce63b7d4498b62

SHA256
8b2ec210bc3b24e4ccbdb856c357b56f0324233344fb3a6a72b0a71108a738c5

SHA512
4b55327d8dc4350b549b975ab73b23c7db3baa7f7f8fae068be7d33c549638f47d76c2064a53fe549860f2c17043046b17422f6a5d89219837820c6283e9618c

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
448KB

MD5
a0ad7a430d67aba8fcd3fa9386912aa8

SHA1
1b4fb4664c46544b8d2f3af2de5c8f20c405ba8d

SHA256
2ab31afc4a2ad4a225f76036451287fb9f029258cdd6dae72a110d9e03f95a23

SHA512
1de88dfc1a5c4636ad6751b243a21541db7295fea441a1cd06feebc5bdccc7ef7a7fd5ac0faf9a797c4e7aedf56d97908e0e93201ff635be1451930795dae2b4

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
448KB

MD5
4cb381e8711dc4fed15c78967c224140

SHA1
48f84ff5c73b44f4c2e4c41e88244f71eb943c07

SHA256
89c9b6ac29c107f29696350b3466707df1560832a3719afca3f50314f7ac17e6

SHA512
2226b5ba0904793ee77636c3d57579d68486452f966c783a2cf88f7d1bf5266dbe6f9b1844e5c773a1328dfd16fdb298539767acf89dced1e8da42f046c855bd

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
448KB

MD5
d5445ae1cb139802586eeb4de1ba2255

SHA1
a60d02c165e08f0a5e9712353cc900b6c8edbe32

SHA256
fe4dc0194bd063e4eb61a83ae8b4861ad81b5f7324ac631b8698c727046dda47

SHA512
14feaa023a02b6e6b60181015c021bebce18305fe597cf781557d6cbaca40531bb94ccc90f7d6b7b219708385910a12399442fe76b34ad37163c46f0173cba6b

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
448KB

MD5
3f69c0e39f629a9995ebf63d638fce52

SHA1
58452c020270afe7414808cf9043bfd8942f1e00

SHA256
aaa38d6c779d307c0dc4558fb843cce221abb2b708bbaea6cb3b8cf4eb733df1

SHA512
891c9bb4df1701b3f6d7b6109c90bc1ebf85085ba2445554569469f3ca4a1bff047afb53fac217887fecc566dfa63b51c313ceab9975e5fbcf8625471434e336

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
448KB

MD5
578116cfb639a124d55225fe6e23a2c8

SHA1
98e3471ba47a7984972af065326d7764416dee7d

SHA256
59fdb5fc777a6eb01ae45ab9c36f8295ac3b34d3e029db75f53b25fc265e8f78

SHA512
525f8647bcb73d367e913e0af74752b7b049b2046c1e3d05f3bcc9f0e9af3a394e377737801d3de52cc10e73bf51255f67b9e8ea1d4d25500b320a3c232f62ed

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
448KB

MD5
996eb6526d9cc6b61b6b81ba3725f979

SHA1
3c00b14afc71af1e50a1fd44e79ecc0aabc3a66c

SHA256
4ed1a0048e412471d71facc150de56f958a85bcae47797b105f664039b25ef6e

SHA512
cc014d4b2ae8745471c97768999f08780753976eead226ccb8e25d2ec73b737bd9ef76e69a576601eebf71687b5003edc7bcb9e2c018b80b305ea845ade6532c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
448KB

MD5
334f89b8cf431477b8c442e71e463609

SHA1
00f2e5851c8c2f91f61a2363f84f26b2f92bed2c

SHA256
ddd26d3a8c752b52153433f8540b7b1ed7bc493a5197a72f4f60407d6bd1c2aa

SHA512
019bddb8c3cbca7acabd9fe74dacc93df4ec4f269804e42a91822d95f6aa19ad198076bfa82250d3e2b9633f47b72329ca699698c747a7006486694d1803d873

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
448KB

MD5
db591104f1923b8bea4f46881c1aa794

SHA1
52626dd8e3bcffc569f501276b74d3313cf473b8

SHA256
22947583dc5dd7ec5650c006d81b3e8e0e95adca2112d4f8092959aec16c50a5

SHA512
a95891fcabd55bd1142f5543400122b5732081b2014c01734b07fef5d00b4d472326ebfdc99cdbee9ba85046e8dcf9184ff93cb4637f7801407cdd808f1b739a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
448KB

MD5
9544ac937c55670d95636dbbddbd953f

SHA1
75a49b5d3d2cca3428cd3e58e112cd4f3b3fa4d1

SHA256
d1202e75514ab17d414fdc0b6c61caf68f923746200863100b52dff9fbaefbfa

SHA512
332ab805b95f723a620c67c22d6ed574256d9f9209763dd6996b68bd51fadbf1bc4337f67ebadd5f6efc86b6e6ccdb90b7bf73eb8acadc2c6b2016e5cad204d5

Download Submit
C:\Windows\SysWOW64\Mogqfgka.dll

Filesize
7KB

MD5
dab40f016f9177c78d7461deb472244b

SHA1
b6c1062346f3bfef569a7b0fe6fbfd3cd16fba9f

SHA256
b0e47133a9f5c90d1d8de8cbedcecb5b83a44686d45198599b9dab4eaadae34d

SHA512
c3c6a8ccca7eb2c7f1754cf0fc3554f1a97a51bba533584d75e1f22019e2fc68a3ede3a0cc9060d0c63f536ed2c6a00f185a34cda6304d969dfa6e7393ca8b42

Download Submit
memory/528-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads