berbew | ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Size

96KB
MD5

c492ff5cd2600acc909528972aff9480
SHA1

5e2ed08eebfcc4eceb31771f8fef66f32c975e41
SHA256

ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42
SHA512

1944b104b3369f91c01e4690bdf609b9aa433cd84ab74bafe790b86f7fac32ac4d9b50b5415da47ad6a7b234bca9e5f3c415c4a934560fb12a5c3cc24482fc3a
SSDEEP

1536:E1TnKvhpn5w7GO6kr2TestdUSg2LOn7RZObZUUWaegPYAG:Ed8hE7zr2TFtdZOnClUUWae9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
1352	Bnbmefbg.exe
3068	Bapiabak.exe
4172	Bcoenmao.exe
5008	Cjinkg32.exe
228	Cabfga32.exe
2372	Cdabcm32.exe
4704	Cfpnph32.exe
1624	Cmiflbel.exe
388	Ceqnmpfo.exe
1788	Cfbkeh32.exe
1636	Cmlcbbcj.exe
2980	Cdfkolkf.exe
3968	Cfdhkhjj.exe
2212	Cnkplejl.exe
2608	Ceehho32.exe
2568	Chcddk32.exe
3712	Cnnlaehj.exe
4136	Calhnpgn.exe
1964	Dhfajjoj.exe
1492	Dopigd32.exe
4744	Dejacond.exe
4760	Djgjlelk.exe
4084	Daqbip32.exe
1736	Dfnjafap.exe
400	Daconoae.exe
4452	Dfpgffpm.exe
4924	Dmjocp32.exe
4932	Deagdn32.exe
4688	Dgbdlf32.exe
3928	Doilmc32.exe
1336	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	1336	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1352	4316	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe	83
PID 4316 wrote to memory of 1352	4316	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe	83
PID 4316 wrote to memory of 1352	4316	ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe	83
PID 1352 wrote to memory of 3068	1352	Bnbmefbg.exe	84
PID 1352 wrote to memory of 3068	1352	Bnbmefbg.exe	84
PID 1352 wrote to memory of 3068	1352	Bnbmefbg.exe	84
PID 3068 wrote to memory of 4172	3068	Bapiabak.exe	85
PID 3068 wrote to memory of 4172	3068	Bapiabak.exe	85
PID 3068 wrote to memory of 4172	3068	Bapiabak.exe	85
PID 4172 wrote to memory of 5008	4172	Bcoenmao.exe	86
PID 4172 wrote to memory of 5008	4172	Bcoenmao.exe	86
PID 4172 wrote to memory of 5008	4172	Bcoenmao.exe	86
PID 5008 wrote to memory of 228	5008	Cjinkg32.exe	87
PID 5008 wrote to memory of 228	5008	Cjinkg32.exe	87
PID 5008 wrote to memory of 228	5008	Cjinkg32.exe	87
PID 228 wrote to memory of 2372	228	Cabfga32.exe	88
PID 228 wrote to memory of 2372	228	Cabfga32.exe	88
PID 228 wrote to memory of 2372	228	Cabfga32.exe	88
PID 2372 wrote to memory of 4704	2372	Cdabcm32.exe	89
PID 2372 wrote to memory of 4704	2372	Cdabcm32.exe	89
PID 2372 wrote to memory of 4704	2372	Cdabcm32.exe	89
PID 4704 wrote to memory of 1624	4704	Cfpnph32.exe	90
PID 4704 wrote to memory of 1624	4704	Cfpnph32.exe	90
PID 4704 wrote to memory of 1624	4704	Cfpnph32.exe	90
PID 1624 wrote to memory of 388	1624	Cmiflbel.exe	91
PID 1624 wrote to memory of 388	1624	Cmiflbel.exe	91
PID 1624 wrote to memory of 388	1624	Cmiflbel.exe	91
PID 388 wrote to memory of 1788	388	Ceqnmpfo.exe	92
PID 388 wrote to memory of 1788	388	Ceqnmpfo.exe	92
PID 388 wrote to memory of 1788	388	Ceqnmpfo.exe	92
PID 1788 wrote to memory of 1636	1788	Cfbkeh32.exe	93
PID 1788 wrote to memory of 1636	1788	Cfbkeh32.exe	93
PID 1788 wrote to memory of 1636	1788	Cfbkeh32.exe	93
PID 1636 wrote to memory of 2980	1636	Cmlcbbcj.exe	94
PID 1636 wrote to memory of 2980	1636	Cmlcbbcj.exe	94
PID 1636 wrote to memory of 2980	1636	Cmlcbbcj.exe	94
PID 2980 wrote to memory of 3968	2980	Cdfkolkf.exe	95
PID 2980 wrote to memory of 3968	2980	Cdfkolkf.exe	95
PID 2980 wrote to memory of 3968	2980	Cdfkolkf.exe	95
PID 3968 wrote to memory of 2212	3968	Cfdhkhjj.exe	96
PID 3968 wrote to memory of 2212	3968	Cfdhkhjj.exe	96
PID 3968 wrote to memory of 2212	3968	Cfdhkhjj.exe	96
PID 2212 wrote to memory of 2608	2212	Cnkplejl.exe	97
PID 2212 wrote to memory of 2608	2212	Cnkplejl.exe	97
PID 2212 wrote to memory of 2608	2212	Cnkplejl.exe	97
PID 2608 wrote to memory of 2568	2608	Ceehho32.exe	98
PID 2608 wrote to memory of 2568	2608	Ceehho32.exe	98
PID 2608 wrote to memory of 2568	2608	Ceehho32.exe	98
PID 2568 wrote to memory of 3712	2568	Chcddk32.exe	99
PID 2568 wrote to memory of 3712	2568	Chcddk32.exe	99
PID 2568 wrote to memory of 3712	2568	Chcddk32.exe	99
PID 3712 wrote to memory of 4136	3712	Cnnlaehj.exe	100
PID 3712 wrote to memory of 4136	3712	Cnnlaehj.exe	100
PID 3712 wrote to memory of 4136	3712	Cnnlaehj.exe	100
PID 4136 wrote to memory of 1964	4136	Calhnpgn.exe	101
PID 4136 wrote to memory of 1964	4136	Calhnpgn.exe	101
PID 4136 wrote to memory of 1964	4136	Calhnpgn.exe	101
PID 1964 wrote to memory of 1492	1964	Dhfajjoj.exe	102
PID 1964 wrote to memory of 1492	1964	Dhfajjoj.exe	102
PID 1964 wrote to memory of 1492	1964	Dhfajjoj.exe	102
PID 1492 wrote to memory of 4744	1492	Dopigd32.exe	103
PID 1492 wrote to memory of 4744	1492	Dopigd32.exe	103
PID 1492 wrote to memory of 4744	1492	Dopigd32.exe	103
PID 4744 wrote to memory of 4760	4744	Dejacond.exe	104

C:\Users\Admin\AppData\Local\Temp\ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe
"C:\Users\Admin\AppData\Local\Temp\ff7a32dc60918a9ef2a988e235015d958a187545131333bca2188bd88ca9ea42N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\Bnbmefbg.exe
  C:\Windows\system32\Bnbmefbg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Bapiabak.exe
    C:\Windows\system32\Bapiabak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Bcoenmao.exe
      C:\Windows\system32\Bcoenmao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 404
        33⤵
        Program crash
        
        PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1336 -ip 1336
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
96KB

MD5
a49225d3ff1b8143588c69c6438d4786

SHA1
4f2c24e1415856dfa3790523ac82d635a06cea97

SHA256
955768df5b9fa4c7e9515292677a1d3ab57e91c3f86307ca3d256aaacae84d5c

SHA512
ce93db02094cbe2bfb244fd6ce56dbc2bce9cf13b59834f6c9a15f3f8151f06afda81b352090f761761e160613a41c91370729c30d5a54274fb6be4d6ac1cb2e

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
7455987e12d887d8eded825d01ba9cef

SHA1
ae246c61b468651cae48978faf1baf96e2142248

SHA256
9c760cfa042978a227db50c69926d2aae274f600e9fde4039f525490bdafa132

SHA512
80751b7634248036abfbfda7aa3c3f5a17ef406aa5c25c9a803494f6e7ac0691f5b8b1f31c18ed54ef149dccfc83b85948f1f7635d20ffd1d433ba691e206cb7

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
2899e8281d738c7247edf3bff504ec69

SHA1
8e0edf42dce2c7374fcf5e17d9798ae2eef381ee

SHA256
b15e6a8e41993265eecb3fa10f0451fafe3e7747eda85191963d0dabf721492a

SHA512
351f92abae1a7c672d9f086fa12fbd32191c8e655c8978eaefba1a81e02948c399a89198f4282309ed6caa21c6cecc2f7792d11f0d6a9e51494c9df59d0fad48

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
17d291ebacbf0d11e17942fbd12b1eb9

SHA1
cd8d3c46432dd422337c32f13bbd7ed4a1d348a2

SHA256
6c2886813366be58f092d6443328bc9ef232e0d01bfffb6410cd982cbe6072c4

SHA512
0e2e4678fdfcf0274cdb66c562e8944d90edc8cbfb8f7ea7bbbea2c305736ad27c12a0d01fcfb09226c35ce7adc16c8d8110b084bdc806c6119238a3f16593e1

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
d0912a425b4b480ba60787906685c140

SHA1
a059722dbf74ac8824c2c0302e75682b49b2f2f0

SHA256
4d53fffcf7535f5a528b35e6173115154337b34591031637450eb92bdb91de79

SHA512
12567d3e7cf0f9df870aaf589f24c3b88f7a8fcf3b8eb57f583c7efc57ec36ade8bb04dcc06cd6c9603e50ec4a91659f47285de6e19cd4279d0cd34e6ba86039

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
ca982ce0ebf1803ec2f75b0c69e8a728

SHA1
8f28ee1f9e0785acb624271e17841891dbd98f20

SHA256
b33ff2b79c90f6bf067791ddd3a83eb40f8e978f553472f17d7a26ef6e2cd9a3

SHA512
39c11817f095e90a274bc3b963e4118d70b6a4ffed6781b11c7f5b3bd3fc76d863438bb6587d99e3571fab0892629ddf1469be760d04ff895d1c54c234274173

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
e161a0f4d3b56422234b542fdfbf53f3

SHA1
c9dc12bd976749c04ec30acc0b06e45901c932f3

SHA256
9890e7c11a231f245ccf68a8822d8c65b576c4d5a63690ad1ad6418ed1a1c85f

SHA512
c0c67dc07d48f63f8e974900e70fef5f636be769104485bde2ecd7baf1eb24513d28baec19e3753ee22f3e17315076e2c08dfb5c61c70c3d225b92caa012bf8b

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
f96e2e6f72102830c15cf16d8e6934fd

SHA1
f61cf63cbab20feb92180dc76212635c1556009d

SHA256
ad139d6c11543c7c268dcff8e55ec97d605df956245d65492acc05fe690b28a6

SHA512
06f16dad2223ea5a999d20c7ab2ab5cd47a33a88be2b337df201db7977f84ec9c06b3f1ae1f53ac651e74b9585c9492ff83c8b85af74e85b18f2875599635e69

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
567d3d02ad307cfb7634ee6090c36599

SHA1
25e1eec77778f9d00f4d0a5d6141834a05f612ee

SHA256
aad24e1d321b2fdfa4671bf75008c2db319f77ef21b3c52104470821176c3fae

SHA512
626e53379260db01e94f1fa3bb5c77436501511e6023d9bbc433a19b80d4102216c88bdc5007686e9a2aa73bc0ab20368f9625ee53d902fe1b615f8907412849

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
0d2872e9e5b608e784e18c085032b7ac

SHA1
29a4913716c7e133d327c7eac043189fe981dc03

SHA256
c67891745c5027b5d985c63820dc64a429131e074f115ab0af995ec8f7959690

SHA512
279660d5197ae88ddbe8092e7e3f4a72d59eca39497490381c65f90eee97b3c4be1da6ce1c749a28b91e4eb396605e0dd2152e8654eec622e3a55657230fa170

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
61c3aeefe7c90da9eb78b51ea52efa77

SHA1
0d777737cf5311894563a3b5af8c862086c30f7b

SHA256
6e918343db2d75c626794fa78841041c2e23a171bb323ccab3326751a59534c8

SHA512
c64266763d11ecead237e8ce0e1813be4b18d7fc45773d5ac9d6155b3a34db1e8061425f86db2e3c5f3522f7c22134fc8e55ff1c4ac727d464e7ee60d1543fcf

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
8209768b2ebd8f90572e794bc84f3d9e

SHA1
7102b63b4b9fbb19372b18042ff47af7892349fb

SHA256
2945097e7e69bdda40b334e2d16b4c3848733946969febef9eed1502e88e378d

SHA512
8c070a972b148b46b7237bd081668cc7f36954c77504e493df82d0a27c22949c0e0b38a4739e7a340175b1dcf01a4082a3af31392fb393ba50fa632031e59d36

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
47d94b50c4fea191488319b2511745fa

SHA1
70e7c5598392e03e89390b8b838b2760115c1d12

SHA256
b9aceb73c7143c3814d89376d54769c714fd961feceb210c65ca6766e3316e72

SHA512
45b4db929b8bf330770fd1f84455bb66fe5eb2fee86ca4f9b61d4db15d4b9b9fc6f8d13c644c06ebc09cd911fa73387102c20d9ad99e0a069db5ce2bd8d62d68

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
a1cf47b4ddc73187100ab6873c6b5e27

SHA1
c9228741ab13befefae172c22404728de0fece83

SHA256
19fc524959b1c3d6f5f9b4af197d59a745972415e473350416dbd380e0e60d16

SHA512
d663cb437cde3242e9ff774b2b4f822400448bbc6eecbfbaa73cb908cfe901dc11fae520217ce69136edb6cf5bc4a7b1ee90bd5b857b9189dd5a814fdf356cff

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
afff7dae7f4ddf36219c469c16974a9c

SHA1
d9612a7cfcd6e04ced61463f2420e3d9b7cb8645

SHA256
e3fb17c02ffaef937aefda1907dfd4be53ee94f7ff30affa6f43fee4b4fe01a4

SHA512
73eb013ddad79b5fc2596901140d9c77ea184f5ba270e0deef0588e67d4f4ef695415ca677fd24e1258dca7757810a18873b904e8d658d815344e0ad6583bef9

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
b9ff8af2336a50847cd0a6c8cef8cc3e

SHA1
037ca3aa73219a46ad4e209c9426d7ac34f686b2

SHA256
6ab67921a4ae4ab4a49193555278cac5dc61504f1b151c5320aedb0bab0d30d4

SHA512
38861a41b6901b7bfd83a4e9c89116c4f9fee0d1033b5fd73191e0fd8d9d0fcc35f00342d10e56a55b27aae4ee47d437cee4795280a1606356a6c65db7a6c9c3

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
e36cadaee79a7fddf2153c210f4df732

SHA1
c9e742b5e94758002b5d541d04359ce6f86a5eab

SHA256
1a00e70e0871d6e08d6052624c48e452f28281eff9198879847a546013b1cf9f

SHA512
b33d1d13e8d68f7d6e6678a0c11e79614cb5677784199d0d4021a57df0402d9abf0e6dfef953ab3378a662637d8f28abf705b8d2f42b884982f42f21783ed70d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
3866ba69f9364df82c68ed2707b317d5

SHA1
7f4b6b9be21c1d4de72bdf011f2654c39e3643e4

SHA256
c2af4922f5086855328100841572bc4ff026e3e59ff4117626dfc19a179fe7b7

SHA512
16ef6965f3372cfb75021463266608f19dcf842beebdffefe94764677db4db86994fa1e166e25916920338db0da848bf25c4b855eeda225d74c36b9b07a87803

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
9fb213d270a8e2e239d9450cbae4a788

SHA1
2012e7dd42a3c9ee1aad7fbdf64adddf0a15c991

SHA256
5c013c8b5e21f98381b201660c8570539218ad94b097c339fec3171fe172199d

SHA512
c3b113dbf90886d26f846e8748bef0c8991351e91355e1c6e0859b9bbe2684d39a399e7304f7e420fc1d47859b0faa5e372440a3b5119e02263560e7de9553a4

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
794ca270f4a9745deac3f1897e0df150

SHA1
91934b202451529b948319cc716d3c8db718572d

SHA256
7f1a5954d3a8e3ba9f36897da28434b2ea40ebf2ecea2ba64852c933097435d3

SHA512
8dd3c923cb851f4859c544b6c93c038b40770062f2f673b9581e6a679cbded7572f7ef0d0fc9c002e441ada658ddfcbfe4f26da780e68bd0576f5ff62fd3fe80

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
2fc72ecd4417c95620a412cbd0766f9c

SHA1
e9926a28e83751f5f9719e396e2dec6bfb0272ce

SHA256
14ca2227aa40516b643605613da4f01670c5e4508153ef4e2e74c7280377897d

SHA512
3b3256972135315987641deb76f342f0c6ee5780fb64cb8cba5e5d3e31c80aa05c23cd9d670e1e80b0e363db69d0bc291c196f38fe701a6d156d35bde9d7dabd

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
7cc23465104f3f374e3ca878774e04f1

SHA1
d6558cbc58bcb50a331d9b4987026fa91d36b77d

SHA256
80466874e8c01823e24a630a23da4e364ad40db21711bb7557bd73042bb0126f

SHA512
d9b4f8ee72b2327ae07609423f093ee939ea912608299b1e3e272c9ac2099d260b03fcb5ccefec2624854e775073f50b717c8c10d6298ee6bbd72c999aeda9f7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
3781d9026f1fb9cc727ec6c0ed2ebe2f

SHA1
1c6e8974ee27d8b8111193e08b82d0946f96c6ed

SHA256
d1d984d9cb62a87dd6ce85ffdde3c7389c6c44022208d568ad09ad67f8483f71

SHA512
9ccb83eb855c038ec04690666e74784b0811e4eccc7534f77404c21e397493a4ebbf828d7b33978aecc3417ab0132b8ddd02a3cd4dcf0a224ecc9eeb4606c449

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
a09e6a1143d494d0db90ffcf005f1edf

SHA1
ca32e738c284193ba8a5a687e0a5760523d9892a

SHA256
107c583edf00ec8c23049b0e2c4c3a53f9bfdfaf72a6ee14b8251aa0d4503ec9

SHA512
1837e0f822d12f8d5372ac8811a017e1a2de681bb3ebd2b33542b439b274a18f6f66526913af5316ddd848e2db24e2d0647e5d8522e29d52bd74a56745fe6121

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
700688c5464a86b876f6879b98b559ea

SHA1
751e5eacf4ab7af9dacb95026a4aa017ae7413aa

SHA256
776023d157a45f2ea86b1c93d49b3a0982910b30a8c74dbe14e909c314b277a9

SHA512
8aca93b6b1f8cc1e189a8d621d2dabd743576a69ca045c74beae983232473ce7f8adf9894f3fb3d889a2b232a42316b5d10008dabe9714a84f525e2d9d1d8347

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
386bf365fd67bae69478265145a28e52

SHA1
266b624a5114e28fb5dc83d26c182b878d49051b

SHA256
22a96333074915b0ec59c0368141dbbbf88efe7ef0650375a84dd2a3e85f3344

SHA512
37d8e46b6ee127d207d6a6e11248d4a9725d2f42a8c433798beb389b8d46157d302f6c9c6ba4af1fd457a9f3c9cb63a6d9283808c9c601acd3ce621aafbdf3d9

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
37d26adaed617f50454a5d20d58bcff9

SHA1
7bb73480de9587d28eb2903bfae4163f8661bb78

SHA256
2656d74f00b7850958a65de368e283cdaa651e22dd205288f6666a469c420e64

SHA512
f8d2e2bc502472cca482e1a6c6a96464e703f39ff79c81f7b7e12d4ae5adaf51ebf9e22d098fb3ad2a57df4a2f266e485f369e6567cebd2e70b26ff9cc9f5750

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
db7328862c9c16565fe9fb3584b8f02f

SHA1
d07b2242a3e130247bbf0074dd00f3624092e942

SHA256
cad1a19e65152887d811a44aefadd880e3dd964a947f7c3d3ea86137b89a25f9

SHA512
fe107bcad1d2a4a842aca445f506dda72bb580b00849533ba3dfb192750c5f299cf53ac5019abd651d85d299d7ca5906186adc01fcf71b95a1bd0f02a1e81de4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
18cc9ec9e4df0f310467873f7840d959

SHA1
aca6892657f97ba4e66922cd6930fb0efb97d2e9

SHA256
99ad65bc30051bfd5b4f6f819e30cb218776ab6ffc738f34dc7212fa49a58259

SHA512
8a5bf7b9dc8f0ce06198d3602fc3c5dcae13cd5d8d44e43909c2ce4ebb44e7165fb94942b308a9dd2dac579de94a1ae3f150dea329c6c0abac85811a23f07f98

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
96KB

MD5
892ec9ce5ddc5bc984b441a57f55bd04

SHA1
2ce7a61e8432771233723ac5d11226916c3dc862

SHA256
5b97fe70988634dc9a47c1f7329912f44b45d1d97ebcad40f1501742462d7468

SHA512
630a211ee8faea61289710bff2fe8dd464fe6f75597db98ec30c96db34bfbbb928a74ead23bdb49bd67fbfce12c8b22ff4673b7b3c27ea9957010873c66143ad

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
007b816d28ea7b06f8bc7d2acf615af5

SHA1
98795422ac14f8ef3cdbe7e29b1398161ba4cd88

SHA256
e3c67f62ccd4c348a3c88038ac74fd24786fcf51b60321726021fdb535ed2f51

SHA512
2c8dac8436ca6aecb028bb3f2c4ffcac3ca0d976bd60efdd577abe6555739ffd1849b9ab9a39c13c397de35de213829deaef68442fcea43fd63abc9adfb684fd

Download Submit
memory/228-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4316-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads