berbew | 2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Size

96KB
MD5

9e724d702527e450396e1dd958af5486
SHA1

29b3751f9d972058e1aa20b8f30fbab8be80dbfd
SHA256

2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9
SHA512

fb3e344a576c8a3fa4d8bd1b447c6ae2dfb4f037e3fbd6dafe5b296205171b7c2ade435f9046f064553680d639a09d1046a9a1d0867ba1739224500ca2590e49
SSDEEP

1536:tMoiIziB3Iq1Mpz+WJRYMfXbWHFzUszBce9MbinV39+ChnSdFFn7Elz45zFV3zMv:hiWy39MpzpRYMjkFzBcAMbqV39ThSdn4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
1872	Banllbdn.exe
3008	Bclhhnca.exe
3716	Bjfaeh32.exe
2064	Bmemac32.exe
752	Cfmajipb.exe
3824	Cmgjgcgo.exe
4932	Chmndlge.exe
3544	Cmiflbel.exe
3760	Cdcoim32.exe
1652	Cfbkeh32.exe
2724	Cnicfe32.exe
2316	Cagobalc.exe
4340	Chagok32.exe
3508	Cajlhqjp.exe
2532	Cffdpghg.exe
5096	Cnnlaehj.exe
1720	Ddjejl32.exe
2568	Dopigd32.exe
4692	Ddmaok32.exe
4756	Dfknkg32.exe
3676	Delnin32.exe
1876	Dhkjej32.exe
3408	Dodbbdbb.exe
3992	Dhmgki32.exe
3920	Dkkcge32.exe
2660	Daekdooc.exe
4644	Dknpmdfc.exe
4804	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3436	4804	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1872	4948	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe	83
PID 4948 wrote to memory of 1872	4948	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe	83
PID 4948 wrote to memory of 1872	4948	2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe	83
PID 1872 wrote to memory of 3008	1872	Banllbdn.exe	84
PID 1872 wrote to memory of 3008	1872	Banllbdn.exe	84
PID 1872 wrote to memory of 3008	1872	Banllbdn.exe	84
PID 3008 wrote to memory of 3716	3008	Bclhhnca.exe	85
PID 3008 wrote to memory of 3716	3008	Bclhhnca.exe	85
PID 3008 wrote to memory of 3716	3008	Bclhhnca.exe	85
PID 3716 wrote to memory of 2064	3716	Bjfaeh32.exe	86
PID 3716 wrote to memory of 2064	3716	Bjfaeh32.exe	86
PID 3716 wrote to memory of 2064	3716	Bjfaeh32.exe	86
PID 2064 wrote to memory of 752	2064	Bmemac32.exe	87
PID 2064 wrote to memory of 752	2064	Bmemac32.exe	87
PID 2064 wrote to memory of 752	2064	Bmemac32.exe	87
PID 752 wrote to memory of 3824	752	Cfmajipb.exe	88
PID 752 wrote to memory of 3824	752	Cfmajipb.exe	88
PID 752 wrote to memory of 3824	752	Cfmajipb.exe	88
PID 3824 wrote to memory of 4932	3824	Cmgjgcgo.exe	89
PID 3824 wrote to memory of 4932	3824	Cmgjgcgo.exe	89
PID 3824 wrote to memory of 4932	3824	Cmgjgcgo.exe	89
PID 4932 wrote to memory of 3544	4932	Chmndlge.exe	90
PID 4932 wrote to memory of 3544	4932	Chmndlge.exe	90
PID 4932 wrote to memory of 3544	4932	Chmndlge.exe	90
PID 3544 wrote to memory of 3760	3544	Cmiflbel.exe	91
PID 3544 wrote to memory of 3760	3544	Cmiflbel.exe	91
PID 3544 wrote to memory of 3760	3544	Cmiflbel.exe	91
PID 3760 wrote to memory of 1652	3760	Cdcoim32.exe	92
PID 3760 wrote to memory of 1652	3760	Cdcoim32.exe	92
PID 3760 wrote to memory of 1652	3760	Cdcoim32.exe	92
PID 1652 wrote to memory of 2724	1652	Cfbkeh32.exe	93
PID 1652 wrote to memory of 2724	1652	Cfbkeh32.exe	93
PID 1652 wrote to memory of 2724	1652	Cfbkeh32.exe	93
PID 2724 wrote to memory of 2316	2724	Cnicfe32.exe	94
PID 2724 wrote to memory of 2316	2724	Cnicfe32.exe	94
PID 2724 wrote to memory of 2316	2724	Cnicfe32.exe	94
PID 2316 wrote to memory of 4340	2316	Cagobalc.exe	95
PID 2316 wrote to memory of 4340	2316	Cagobalc.exe	95
PID 2316 wrote to memory of 4340	2316	Cagobalc.exe	95
PID 4340 wrote to memory of 3508	4340	Chagok32.exe	96
PID 4340 wrote to memory of 3508	4340	Chagok32.exe	96
PID 4340 wrote to memory of 3508	4340	Chagok32.exe	96
PID 3508 wrote to memory of 2532	3508	Cajlhqjp.exe	97
PID 3508 wrote to memory of 2532	3508	Cajlhqjp.exe	97
PID 3508 wrote to memory of 2532	3508	Cajlhqjp.exe	97
PID 2532 wrote to memory of 5096	2532	Cffdpghg.exe	98
PID 2532 wrote to memory of 5096	2532	Cffdpghg.exe	98
PID 2532 wrote to memory of 5096	2532	Cffdpghg.exe	98
PID 5096 wrote to memory of 1720	5096	Cnnlaehj.exe	99
PID 5096 wrote to memory of 1720	5096	Cnnlaehj.exe	99
PID 5096 wrote to memory of 1720	5096	Cnnlaehj.exe	99
PID 1720 wrote to memory of 2568	1720	Ddjejl32.exe	100
PID 1720 wrote to memory of 2568	1720	Ddjejl32.exe	100
PID 1720 wrote to memory of 2568	1720	Ddjejl32.exe	100
PID 2568 wrote to memory of 4692	2568	Dopigd32.exe	101
PID 2568 wrote to memory of 4692	2568	Dopigd32.exe	101
PID 2568 wrote to memory of 4692	2568	Dopigd32.exe	101
PID 4692 wrote to memory of 4756	4692	Ddmaok32.exe	102
PID 4692 wrote to memory of 4756	4692	Ddmaok32.exe	102
PID 4692 wrote to memory of 4756	4692	Ddmaok32.exe	102
PID 4756 wrote to memory of 3676	4756	Dfknkg32.exe	103
PID 4756 wrote to memory of 3676	4756	Dfknkg32.exe	103
PID 4756 wrote to memory of 3676	4756	Dfknkg32.exe	103
PID 3676 wrote to memory of 1876	3676	Delnin32.exe	104

C:\Users\Admin\AppData\Local\Temp\2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe
"C:\Users\Admin\AppData\Local\Temp\2499d6cea1970082fe745225440747892961fdf393d133a7114e624c82893db9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\Banllbdn.exe
  C:\Windows\system32\Banllbdn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 404
        30⤵
        Program crash
        
        PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4804 -ip 4804
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
ce72bd29ced7bab26529f4f26a02b743

SHA1
82e2cd9a659108693aeb11fa6dbfbebe9d1f4d4c

SHA256
e4e3d550675e55bbe39f615fed20fb128ea535b3fc10fc6fe9699c2ddfd3fd88

SHA512
2c0be8d22bfecad1f9918c16f74fb9fee2619d817ec20977a2f5adde909b804100a77f433fc0fab050c25511a58498b48bb5e652c811cfdce0ea2e7a3b3c03f8

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
67d29d5a33da8ce858bc6d94f74c8d5e

SHA1
7e8185454c7a16cc532ff27c0fa824b9d1094fe8

SHA256
010304a9f8bdb3e46ec4f5f532871b091bfc33f732edaa47b2dca870127bf995

SHA512
a44f4e543e2d8d9ea95aee79ae8c1ebf9fe9d1b3844da5100669615cff6996f8e2d40d48874b2cf9a543ed387ab96e5fff4de7c3b3b97cfbe6ecad409884d2ce

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
540c72bd82b0b42a468600b64fe4f62a

SHA1
6b8872ede13f2034e2486cda6992def8547e7151

SHA256
3918f36958dcc833b75f8ec3fa5e0649a86bb8bac7fce8a29a7d95ed46884c3e

SHA512
addb80e3bfe8f5b66c7fba56c2c5d110e888b872870ab94ff9b9fb2f3d4932f864227d077effd30789b3010ee72636c5c9df3832f31905af1405d03bbb75dee5

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
0080ef4b06c573b77153100defc25820

SHA1
0cc8f0d42d56fbc9c27dbd5234f83455f088e784

SHA256
ba1179a65d826562eae292a7dad57e307eb54c6a93dabb0962041e4eb398c01d

SHA512
2bf6e7b163e69b824f28875ed10c4190d20a796c7d98e26153c46c63f337cf19f4618c83041d25284561d43d69a9b3f3d9a162b5e10bc213ea10b8e79619c3b7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
627a8182ca796424a5a676a48fabc458

SHA1
e7f13c0b99520188259dea05ee7ea15bb1cc931d

SHA256
3322c5712e3ca2a6ddb5807d00eaca87fae655894eb69252f74a78e5cf27653c

SHA512
d5622235529d16e0a06cec3d46bec1dedf426f24e96d07cb447e3dedbac208140833f4b5c13c5e0f6f6cc7b451fcc15593685abe8029093ad68348f9cb961f76

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
2102e2e9b0a84109d9046ba04726b8f8

SHA1
286345d0ad347e367c38cd05322d0697cfe39dab

SHA256
ab6205b4441812175558499fef8c927dee33b563d8949b6f43ac2d49ff9587c2

SHA512
8ae043bfe1f02919ff73cbef7fe7fd88e53eb64b2a6c4505b707ecac12ee588cdc3231b665a0716003a2cbbfa1e6ceb1b4193455c070ea6e8a260c7baf30b9bf

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
5dbdebd3e068bfd2e0809b191032b76d

SHA1
6b3a85cf75efbcf9cad728d745ff47d96ced765f

SHA256
e2d82d15d226fe933b88b089e694416847f55fbfc2da419e2575f25f389244aa

SHA512
bb0cf060374d48c5eb68472329e69e98904111e7f8d3c996b19dd555dbd31037af0ccfe3d8faa8e0a42f621a82384622678e850de21d8d1b3e05e860d5854c95

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
1922f36cb81a2cc9466a6262d6263888

SHA1
c47bbf3859f6773948ad457d921cbe355a2d2c6b

SHA256
0c490938d1205ca30c5eccedb8a2c25e803ef3dda42db46f07dd72e92249536b

SHA512
5dd9f7d8c385827abdcda4dd161b8dc1d8b0c4677daa724c9fa927e04a1ac2c2c4f1662e83b2431a947ffa787f3eccf0b21069144f36c44989f814412ed98382

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
bb3de1b1f295d648a4baba17a8106f25

SHA1
3873c1cdbcb426c013676952b7747ab0c74a3ba8

SHA256
5b33e8738d8c6580361ae50a60ec22046aca650c7c991e05d0c34290808a069f

SHA512
df496e9734fecd2c9854fc0016f1370e9f702696e89bda01c970dc155f6b9960a756b158aa2965f4a51253a614d99786e49900a15b4176ace337b43f1634b54a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
c653a98900aa582c59e7e6c739a7a6c9

SHA1
4eeddf16d73d604dcc46febcbb8728506bf5ba70

SHA256
415f70e2a41998670dcdbbf174476517dfeda12db491e85187bb18166ca765b7

SHA512
57cadd0902534adac1d719350a16e797c4e42866773bea4deb87630e65db0be89aa651f054fdd8a5b0ff28867b24f10446d8287366c1d3412edacc1ab644c589

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
b84972b8836a2280d3c5190e9851a4e8

SHA1
e945acd78f5973be6ad2aa229094be33723482b5

SHA256
a5310abbd707a8aafc41b2a02a4a68079db7278f65c842bc98c123161f9146fa

SHA512
5bdffda6ebb2cce25e78d251c7a84cb79dc17701adc8a7d283d92ffe8a5f3b89e7101b654bf4cb6962c2fa520e41afd88108db7f44e0fc731646d12fb4be063a

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
d268e5a6ff2901e7782e174ee292fad2

SHA1
54f4ce7435773b7de4eed6f7e3c07de86ec94d0c

SHA256
004b2b32b2791e7d141826bc878cb2d5647164baf91b51cd30ab5239d3e2f649

SHA512
2217621b92f0262f267a5386676aca85edad5e66945e7761672545b274e1f8f18d240320547dfc5338ef4ba37aab6df415bf563e9af602268b55df93fcb6f4a9

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
baf06bef828749db0dc5d42cf7cbaa75

SHA1
3e2cdf565f96d7494c6c9f4efa9249b5db7f4032

SHA256
c5fe77c817f11dffd8fcfae8a941af20fe2eb3280459be5707c9e463eb6744a4

SHA512
8a5b289b8e5473caca73d23503251dd659c06dcf30c2c47694ace8cf78c4e1b83b5208ab36754f4b9b384d1c40caa155e32872a885fd593eb8eab3f0aa27cb95

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
84423d1b63be67c2f9d35df5d31f3d6c

SHA1
b99db2ece9e3243925f88c844fc6c8961deff96c

SHA256
83d5e9898f5e8db056d63464d23cd2b5250fcf2334af7bafbddb77807614a019

SHA512
eb80a13aba00ac7b9a2c3989c9e722aee3a34ddb8c3475d0e7f72266db0fe5f3f23ebf20ea9a5200d9ae70c3c01250bcae501b13b75310c04e65d4698b71170a

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
201fd7d915fa357e3dd1cd06f362a578

SHA1
1cf17209cfde82b820f70e864aaba2677b204cd6

SHA256
7db62887a3f9c3ca6f5626108fdfec796eb8c68d8d9353315234ba4718ee753f

SHA512
81ee9c5ab6dd344b33f82d298d5f12e75aa33f6507c575fc937b9eb8a7dbc7053f6dd868523fd5bbe774ef93a9aee0f01b3a064f5a9edc841fc19420c5d2cd8a

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
7ea1015da8a035b47b13a5562e326529

SHA1
80d8f9d4d0c0ffe2e37fc8267b7190c4c0988988

SHA256
0e0ccbe9fac4169946cb5635c722d69d9819ab32b17bcfdc96b77215edf4b553

SHA512
c0eb446d899e7aaf6c165e9d9c19c2fb522e89ecc5c38a4aebb29c6c4dd4a9312a1efe2b680ae76ba137c813c5c48a51dbfffdcb85ad9a878abc39d1e2be3457

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
7e82f766c50eb949b536cf43f378b949

SHA1
80086a1f77e88748d009eb9db2329ca6ff7cc08a

SHA256
4729a9ed249d85ac6a27bd7609c9fd18b0387a7fa983083a6601de9ca7b72efc

SHA512
eaaeecc717d5bc3ab7de807a2df85225d357746432d017edc519e173e99a45ae88731e9183ec2f7d4b3f439f0eeda1b1721ba51544e6ce24fe11ffe01df5b93c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
b8dc4faa9e2229921a4cae16470c0366

SHA1
b7ec4e64fd34631ab2a7029ce1b90bf8c2d9868f

SHA256
ded6b7e9d3e48662ed1cc6631ed1698a8bddb1dfdebb5a7a62bfbc6cb9999d5d

SHA512
e5c6c9f576172fe6e2e1b65a138b9474a6743bbf68da29b0b6cc09ec1eeb812db5ed73f2a446d9cde3a16b77349bfe75d70016c05324259299b1a81a7805b629

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
8fe40aa1981520257565b3b4835ccd6c

SHA1
54cb446bf194df73ed3e7118b403a404a3b4afae

SHA256
e20fba61a78121eadf2120dc8e7765b5cdc322969fe7ddae005408f3856a3a9e

SHA512
6b95f71f125b461c9277c6dc7d41bb71d725c9039756c87f9e2237f48b9faec21297e4655c29103032b4fd1b9dacaea3b25e9ce5fe75a7406d12e3b72aa0627c

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
a58ec2ecdb35bb32b32112ab0444d6d9

SHA1
313801b4281052b5a2d14bf9af422af95f510357

SHA256
e4d7e051db3c855c52173b3fd64df8792d91470b0c8635e20071a2d90d92a325

SHA512
e01d07cab6464758fc77061f5a750d5c62e170ee81fa845af510fc54566616bbef56107f01994fe35d968d35aa736f1039ff604c9c8590820d6f249e050ab641

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
81f1bcf39920fb7486bec55decc2b87f

SHA1
c1c7cafee8e2287837d826105de356fab919a352

SHA256
385b9ba6c0a57f5aab96a499dceabf610688c589ec851353fcb7e08dc0917e28

SHA512
cd9c9c3347ec51f9ffdf34dfeaabac82eb29169d0484fbe1767a562288ec8008b33ed4cf402798d12d3f2bb0a6b4b2cb00cfc1309ed2b70abe1ecf7826fe369d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
8c2623f33c76294c3d8d59d14839bf54

SHA1
0b2dfc9464d730fff9d3d252dcb4f0bf9f9dc116

SHA256
b73dfb0e5d1bc07c0c838c4728da07b7ae652e9f36f97e13d1c5ed63d2775edf

SHA512
7bb9e9c8aa5f5ccbc6ccf03bbae2b716a2e470ff7455c1ae917727aac525483bc3dfb3de913507466ee4039e798f3589cdddd9b7e89a49975e5156a943ceb17d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
e1e89c7dffcda000e3a7ed451237820a

SHA1
914fe2c26a254300c9a80f418cbdeb5ad697a959

SHA256
e9b8f68c83a3851dcfb5a0d0b797627b9ed2a1d529bf61f5c4eb14d8196ca374

SHA512
e7d94f071b8a83845b7a886ed2fe760b0f3dfcf9d057ff71b797fa9f7b8a6badd778090c7cd6ae0bd3c4c334a53cb5e0242c0ae04be3e4553bc7242fa2db25d5

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
303c5226b870d651dc7215ba64527f16

SHA1
ba7b135c9b4b5f8cfa139c6a8d98a246d55562fa

SHA256
6d5951d4f30170b352235f7f7d929c79c2050d0faf0cd20331a74641cfa90e72

SHA512
513f20fbebd178c42ea76f53a8f07f35231b7d9bb59e6f183d29a84c8d3e190cc5f8d38a5231fee01612a29d3904c058f0d610e69e29c456200887a330a150b9

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
2ee117156d290cb96c770b77ba145084

SHA1
be438ed7a7b89b6a369ef09ed2935be5f4eef18c

SHA256
249a97a987a063681ecc66a264219a0d044f727bf2be13b834b82cf76e775ee2

SHA512
18b84554601b0904c88b083777c55e8487057d89ae8cb5e2e45eb843aa3ca79231deb1bea85f970be707733dcef04285476b4eeba445480dfcc2195dd44f12bb

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
4cfa9d7c3dca641e98202cad5a5a6da3

SHA1
aac3d2dbf618fd3fc83b1b23933fbc75b5b2f6af

SHA256
b29836e0010a3f3de65e238b2aed8db00dff8f598d1bf52d8cd3a6cfd71af002

SHA512
5ac137107d3614d7df1c6fa426aed5fdf36480a0c0656ad0cc083b215a33b480b0d2840843df509c27f42b60bb81f94c809b2622edf7b2daf34d33b0839c4dda

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
65c90f47868fb263bc8a5267b98e5d18

SHA1
b136784d2417884174e163d418c47ce2078a9753

SHA256
08e7e392ec518b238b1c210b371d7ec4bd970738b69466945613734667289854

SHA512
1da093534d40566277c7b9c42c951bdd625a0cb3611aeb7e3f26ff3df6437c8132d5a921a49636d24f8a1c693bc034c0227ceaf3a32e7791329837e2603b2166

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
4c8185a22da40d1c53f0fe013bf12edf

SHA1
60f96188377c0033a1b100e0506b76a59d2e36cd

SHA256
b55ed064ea5ada3536b588c1a044f2057e737379bd4d8884e787c7e21410e28e

SHA512
d8feb1d700e2dc42e7f85f90874f1b6a3eb7852a2301e9b4ab5b1b2886605a10c9f8f98a9a27c2c1fc8e59422f5a36cda834b3a47ab36f9c7975930772d6f927

Download Submit
memory/752-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads